I'm using OKTA in my WEB Api application. After successful authentication I got cookies in my session but I don't understand why I don't have there JWT token (I wanna make angular client to this application).. what I exactly use here ? someone has experience with it?
Why I don't have JWT despite of fact that openId is based on JWT? When I paste every cookie in JWT Decoder it is not valid...
CodePudding user response:
The cookies you see in the browser is not your tokens. It is your encrypted session cookie.
This cookie may contain your token if you have configured your system to persist your tokens inside the cookie. In your case you have cookie C1 C2 and together they are quite large and that probably means it contains the tokens as well.
You can tell if a string is a JWT token or not by looking at the first two characters. If it starts with ey..... then it is a JWT token.
You should not try to access these cookies from Angular and storing tokens in the browser is a bad idea from a security point of view. Do look at the BFF pattern or try to handle the tokens only in the backend. see
- https://blog.bitsrc.io/bff-pattern-backend-for-frontend-an-introduction-e4fa965128bf
- https://leastprivilege.com/2020/03/31/spas-are-dead/
- https://leastprivilege.com/2019/01/18/an-alternative-way-to-secure-spas-with-asp-net-core-openid-connect-oauth-2-0-and-proxykit/
- https://curity.io/resources/learn/spa-best-practices/