How to configure loopback to use access_token in the header

Question

I'm using access_token handling logic form loopback. It works fine, but unfortunately expects the access_token in the URL.

Can I configure loopback to use the access_token in the header custom field instead?

I would recommend using the standard `Authorization` header instead of a custom one. Loopback will search by default for a token in there. — Overdrivr, Sep 23 '16 at 09:01
Thanks Overdrivr! Is it somewhere documented? I mean, how it is expected to be packed in the Authorization header? Simply a string value of the token, or something like "Tolen " + value? — Aleks, Sep 23 '16 at 09:29
This is documented [here](https://docs.strongloop.com/display/public/LB/Making+authenticated+requests). Just put the token string inside the header — Overdrivr, Sep 23 '16 at 09:44

score 9 · Accepted Answer · answered Sep 20 '16 at 16:28

9

Initialize Loopback Token Middleware check the docs

A sample code for enabling loopback.token middleware

app.use(loopback.token({  
  cookies: ['access_token'],
  headers: ['access_token', 'X-Access-Token'],
  params:  ['access_token']
  //additional keys (check docs for more info)
}));

It checks for these values in cookies, headers, and query string parameters

answered Sep 20 '16 at 16:28

RootHacker

1,109
8
12

Where should this code go? Can I somehow instruct the API explorer to send the access_token in Header as well? – Aleks Sep 21 '16 at 08:07

score 0 · Answer 2 · answered Aug 21 '19 at 19:23

Docs- https://loopback.io/doc/en/lb3/Making-authenticated-requests.html

Pass the following header in request config (use your token)-

headers: {
    Authorization: '1vKbyJc9D2pJaE5sZWDqKxcJYlOfPab4eO8giuRMkfOxvoHKGUBRDcNvP4JwDIxe'
}

No configuration needed in server.

How to configure loopback to use access_token in the header

2 Answers2