C
C#11mo ago
S-IERRA

❔ JWT Storage location

Hi I'd like to ask where JWTs should be stored, my backend returns a JWT through the API and also sets an http-only cookie, but I'm not sure what to do with this from the front end as ASP requires an Authorization header and http only cookies can't be accessed from the front-end any ideas? This is for most part what I do 
        NumixAuthenticated jwtToken = _authenticatorService.GenerateToken(jwtUser);
        string jwtTokenJson = JsonSerializer.Serialize(jwtToken, JsonHelper.JsonSerializerOptions);
        
        var options = new CookieOptions
        {
            HttpOnly = true, 
        };
    
        Response.Cookies.Append("Numix", jwtTokenJson, options);

        return Ok(jwtTokenJson);
    
        NumixAuthenticated jwtToken = _authenticatorService.GenerateToken(jwtUser);
        string jwtTokenJson = JsonSerializer.Serialize(jwtToken, JsonHelper.JsonSerializerOptions);
        
        var options = new CookieOptions
        {
            HttpOnly = true, 
        };
    
        Response.Cookies.Append("Numix", jwtTokenJson, options);

        return Ok(jwtTokenJson);
13 Replies
Angius
Angius11mo ago
A JWT token should be stored in a HTTP-only cookie And authorization should be done via that cookie Not via headers or anything else
S-IERRA
S-IERRA11mo ago
Doesn't this take in the header "Authorization" ?
JakenVeina
JakenVeina11mo ago
no that instructs MVC to require requests to the attached endpoint be authenticated by the authentication middleware it makes 0 assumptions about how that authentication is performed, that's the job of the authentication middleware there is no "correct" way to store a JWT cookies are nice, because they actually eliminate the need to store the tokens, in a sense
S-IERRA
S-IERRA11mo ago
So I should store it as a Http Only cookie, create a authentication middleware that fetches that cookie and validates it?
JakenVeina
JakenVeina11mo ago
using cookie-based auth exclusively leaves you vulnerabule to CSRF attacks, without separate mitigation it also kinda limits you to browser-based clients that is a valid implementation, yes
Angius
Angius11mo ago
The existing middleware should just work, should it not? Just use the .UseJwt() or whatever it's called
JakenVeina
JakenVeina11mo ago
the auth middleware for using JWTs is much less straightforward than it should be but yes, you would not "create a authentication middleware" you would assemble and configure the various components of the ASP.NET Authentication middleware to do what you want
S-IERRA
S-IERRA11mo ago
Makes sense also seems a lot more straightforward, any idea what I’d have to configure so it uses the specific cookie as the value it should validate
JakenVeina
JakenVeina11mo ago
IIRC, the default JWT scheme uses the "Authentication: Bearer" delivery mechanism, so if you want to use a cookie, you'll have to inject some custom logic to extract the token, probably through a RequestReceived event handler
S-IERRA
S-IERRA11mo ago
https://stackoverflow.com/questions/52184431/in-asp-net-core-read-jwt-token-from-cookie-instead-of-headers
Stack Overflow
In ASP.NET Core read JWT token from Cookie instead of Headers
I am porting an ASP.NET Web API 4.6 OWIN application to ASP.NET Core 2.1. The application is working based on JWT token. But the token in passed via cookie instead of header. I'm not sure why heade...
S-IERRA
S-IERRA11mo ago
seems about right Got it working through cookies, ty ! @jakenveina @angius
Angius
Angius11mo ago
Nice
Accord
Accord11mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
❔ How can i remove methods or classes with an Attribute from compiling?How can i remove methods or classes with an Attribute from compiling?❔ struggling with reading data from xml filesHello there. I'm struggling with referencing only the subpart nodes inside the relevant bodypart nod❔ Cannot plugin HanumanInstitute.MvvmDialogs with MS.Extensions.DependencyInjectionI'm having trouble plugging in the HanumanInstitute.MvvmDialogs with my project (that uses Microsoft❔ ObfuscationI know this isn't a topic that's liked in this server, but I am looking for C# / .NET code obfuscati❔ EF Core CosmosDB cannot translate AnyAsync methodPictures:❔ Having compiler -output related querySo I trying to print the sizeof structure that I made it has an integer (4bytes) and character (1 by❔ Services communication in Windows ServicesI need to create a service to start a service. It is possible? The service that would be affected ❔ searching for a database easy to usegoogd morning, First of all I am actually making my first mobile application and I need to stock my❔ Resolving the language version used for a projectHow do I resolve the language version used for a project in an MSBuild target? For example, if the u❔ Questions regarding delegates and closuresIf I had some static objects with a delegate member (`Func<byte[], int>`) that was assigned an anony