3

I've seen a lot of articles that cover using JWT Tokens in API scenarios. How do I include the JWT Token in my request for a web page?

My ASP.NET Core app has both web pages and API methods so I want to use cookies for the web and token for API.

Sam
  • 26,817
  • 58
  • 206
  • 383
  • Store it in a cookie. Local storage [isn't as secure anyway.](https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage) –  Dec 22 '17 at 18:17
  • If I store a `JWT Token` in a cookie, what exactly is the advantage of using `JWT Tokens` in the first place? Also, how would a mobile app send the `JWT Token' to the API? Aren't cookies for browser based apps only? – Sam Dec 22 '17 at 18:39
  • The storage mechanism is not related to the advantages of JWT. Compare JWT vs SAML. No, you can add a cookie to any request made by an API, although I will point out that your question explicitly mentions using a browser. –  Dec 22 '17 at 18:41
  • I have two clients to satisfy: browsers and mobile apps. Currently, I'm using cookies and everything is working fine. The only reason why I'm considering `JWT tokens` is to prepare myself for the mobile app we're starting next month. So, I'm trying to see what changes I need to make in my backend API. If I go with `JWT Tokens`, I need to make sure my users can still access non-API parts of my app i.e. pages that only authenticated users can access. – Sam Dec 22 '17 at 18:45
  • It's not so much the storage that I'm confused about. It really is the configuration of my backend API. Currently, it's told to expect cookies and it works nice. If I'm switching to `JWT Tokens`, I have to send the token myself. So, I'm trying to figure out how to place the `JWT Token` in the header of a request if I'm simply requesting a web page. Hope this clarifies my confusion. – Sam Dec 22 '17 at 18:47
  • Well, the way we do it here with Asp.Net, is our auth layer looks for either a cookie or an Authorization header. It pulls the token from either location. This article might be helpful: https://auth0.com/blog/cookies-vs-tokens-definitive-guide/ –  Dec 22 '17 at 18:51
  • Thank you for your response. My backend Web/API is built on ASP.NET too i.e. specifically ASP.NET Core 2.0. I wasn't aware that an ASP.NET app could be configured for an "either or" scenario where it looks for a cookie or auth header. I thought I had to pick one. – Sam Dec 22 '17 at 18:56
  • Nope, you can do it either/or. Takes some custom code, but its not too difficult really. Make your own `AuthenticationHandler`. Look at [this question](https://stackoverflow.com/questions/37249969/creating-owin-auth-provider-that-exchanges-a-custom-token-for-a-net-auth-cookie), specifically at the `AuthenticateCoreAsync` function. Or google "owin token provider" –  Dec 22 '17 at 19:02
  • Thank you for your help. Based on your direction, I found this nice article that covers this topic: https://wildermuth.com/2017/08/19/Two-AuthorizationSchemes-in-ASP-NET-Core-2 – Sam Dec 22 '17 at 19:11
  • Excellent article. Good luck to you. –  Dec 22 '17 at 19:13
  • Thank you. If you could copy and paste your comment as an answer, I'll accept it. I'd like you to get credit for your help. Thanks again! – Sam Dec 22 '17 at 19:14
  • Well okay. But before I do that, I suggest revising your question so it more closely matches the expected answer. The comments didn't exactly discuss how to add the header. –  Dec 22 '17 at 19:16
  • Done! You may want to include the link I found in your answer. Thanks. – Sam Dec 22 '17 at 19:25

1 Answers1

2

The way we do it here with Asp.Net, is our auth layer looks for either a cookie or an Authorization header. It pulls the token from either location. This article might be helpful:

http://auth0.com/blog/cookies-vs-tokens-definitive-guide

This takes some custom code, but its not too difficult really. Make your own AuthenticationHandler.

https://wildermuth.com/2017/08/19/Two-AuthorizationSchemes-in-ASP-NET-Core-2

That excellent article will guide you through every step of the process.