In my asp.net core 1.1.0 api I want to Http POST to a 'Create Token' method and receive a JWT inside a cookie. I then want to access the cookie on the client and automatically include it with all future requests while the token is still valid.
My code for generating and validating the JWT is fine as I can use Postman to call 'Create'Token' and then copy the value into a header for another request like so: key: Authorization value: 'bearer' + ' token', it works, so I can't be far away. I've tried to keep the code posted here succinct, but can supply more on demand.
In my controller 'CreateToken' action action I set the cookie to include the token:
var options = new CookieOptions
{
Expires = DateTime.Now.AddDays(1),
Secure = true,
HttpOnly = true
};
Response.Cookies.Append("token", new JwtSecurityTokenHandler().WriteToken(token), options);
return Ok();
On the client, I have this code:
return this.http.get(url, { withCredentials: true }).map((response: any) => {
// handle response
});
I receive a 401 as the token must not be getting set in the request header.
If I manually change the above code to manually add the previously mentioned headers I put in Postman, it works.
EDIT 1:
If I basically just read the cookie in Chrome and add the token to the header it works.
new Headers({ 'Content-Type': 'application/json', 'Authorization': 'bearer ' + document.cookie.replace('token=', '')});
Is this still secure? If not:
How do I get the client to include that header correctly from the cookie?
