Passing JWT tokens by Ajax/Javascript

Question

I'm wondering is it "legitimate" to provide the JWT token I received back from Identity Server to the page so that Javascript can make ajax calls with it as a bearer token to several API endpoints. Clearly these end points would be using SSL, but is this a typical/correct usage pattern?

Cheers,

P

score 0 · Answer 1 · answered Mar 17 '14 at 05:29

0

It is certainly doable - if you are OK with the access token being on the client machine/device.

answered Mar 17 '14 at 05:29

leastprivilege

18,196
1
34
50

but is "doable" the same as "recommended". What other way could you make js calls like this? – Paul Devenney Mar 18 '14 at 09:39
"if you are OK with the access token being on the client machine/device." says it all I guess. If that's the case, it is OK. – leastprivilege Mar 18 '14 at 16:42
are these tokens not always effectively on the device in a .FedAuth cookie for example? – Paul Devenney Mar 19 '14 at 09:22

Passing JWT tokens by Ajax/Javascript

1 Answers1