I have a web application that is using open id authentication via Azure AD. it needs to talk cross-origin to another web service which uses the same form of authentication. Is it generally allowable to pass the same token to the other web service?
I know, for example, that I cannot pass a cookie across origins. Is there protection built into JWT tokens that will cause me similar problems?
A JWT is just a way to encode claims. Cookies are different. Ultimately, they are just data that gets passed back and forth between the client and server via request/response headers. A JWT is independent of how it's transmitted, and a cookie is independent of the data that is transmitted. In fact, the data for auth cookies and such is generally a JWT nowadays.
So, no, there's no cross-origin policies applied to JWT, in general, since it's just a way of encoding some data. However, JWTs are almost always at least signed, and often encrypted as well. In order to read a signed JWT securely, you're going to need to share the signing key, and of course to read an encrypted JWT, you're going to need the shared encryption key or the private key from the public/private key pair when asymmetric encryption is employed.
Long and short, depending on what you're doing exactly, it may not be possible or feasible to "share" the JWT, even though cross-origin isn't technically an issue.
Typically with centralized auth like AD, each application independently authenticates with the identity server, rather than passing the token one received to the other.
No, there is no built in origin protection in JWT. It's just a token
