C
C#16mo ago
S-IERRA

❔ JWT Storage location

Hi I'd like to ask where JWTs should be stored, my backend returns a JWT through the API and also sets an http-only cookie, but I'm not sure what to do with this from the front end as ASP requires an Authorization header and http only cookies can't be accessed from the front-end any ideas? This is for most part what I do 
        NumixAuthenticated jwtToken = _authenticatorService.GenerateToken(jwtUser);
        string jwtTokenJson = JsonSerializer.Serialize(jwtToken, JsonHelper.JsonSerializerOptions);
        
        var options = new CookieOptions
        {
            HttpOnly = true, 
        };
    
        Response.Cookies.Append("Numix", jwtTokenJson, options);

        return Ok(jwtTokenJson);
    
        NumixAuthenticated jwtToken = _authenticatorService.GenerateToken(jwtUser);
        string jwtTokenJson = JsonSerializer.Serialize(jwtToken, JsonHelper.JsonSerializerOptions);
        
        var options = new CookieOptions
        {
            HttpOnly = true, 
        };
    
        Response.Cookies.Append("Numix", jwtTokenJson, options);

        return Ok(jwtTokenJson);
13 Replies
Angius
Angius16mo ago
A JWT token should be stored in a HTTP-only cookie And authorization should be done via that cookie Not via headers or anything else
S-IERRA
S-IERRAOP16mo ago
Doesn't this take in the header "Authorization" ?
JakenVeina
JakenVeina16mo ago
no that instructs MVC to require requests to the attached endpoint be authenticated by the authentication middleware it makes 0 assumptions about how that authentication is performed, that's the job of the authentication middleware there is no "correct" way to store a JWT cookies are nice, because they actually eliminate the need to store the tokens, in a sense
S-IERRA
S-IERRAOP16mo ago
So I should store it as a Http Only cookie, create a authentication middleware that fetches that cookie and validates it?
JakenVeina
JakenVeina16mo ago
using cookie-based auth exclusively leaves you vulnerabule to CSRF attacks, without separate mitigation it also kinda limits you to browser-based clients that is a valid implementation, yes
Angius
Angius16mo ago
The existing middleware should just work, should it not? Just use the .UseJwt() or whatever it's called
JakenVeina
JakenVeina16mo ago
the auth middleware for using JWTs is much less straightforward than it should be but yes, you would not "create a authentication middleware" you would assemble and configure the various components of the ASP.NET Authentication middleware to do what you want
S-IERRA
S-IERRAOP16mo ago
Makes sense also seems a lot more straightforward, any idea what I’d have to configure so it uses the specific cookie as the value it should validate
JakenVeina
JakenVeina16mo ago
IIRC, the default JWT scheme uses the "Authentication: Bearer" delivery mechanism, so if you want to use a cookie, you'll have to inject some custom logic to extract the token, probably through a RequestReceived event handler
S-IERRA
S-IERRAOP16mo ago
https://stackoverflow.com/questions/52184431/in-asp-net-core-read-jwt-token-from-cookie-instead-of-headers
Stack Overflow
In ASP.NET Core read JWT token from Cookie instead of Headers
I am porting an ASP.NET Web API 4.6 OWIN application to ASP.NET Core 2.1. The application is working based on JWT token. But the token in passed via cookie instead of header. I'm not sure why heade...
S-IERRA
S-IERRAOP16mo ago
seems about right Got it working through cookies, ty ! @jakenveina @angius
Angius
Angius16mo ago
Nice
Accord
Accord16mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server