Reputation: 496
OAuth2 OIDC, How/When to give JWT to the browser?
I'm implementing a SSO solution. Got a general question regarding authorization code flow grant type as described here.
After a user login, the client app would get an ID token. But I cannot find anywhere how/when a JWT should be given to the browser such that it can set the bearer token in the request header for any subsequent request? Is it something not specified in the standard or I misunderstand something?
Upvotes: 0
Views: 232
Answers (1)
Reputation: 12342
The browser does not set the Authorization request header automatically. You have to do it yourself using Javascript. This means that a request with such a header must be an AJAX call. If you want to send regular requests through the browser (by navigating to a URL), then you have to use cookies, as they will be automatically added by the browser. (You can keep the value of a token in a cookie and have your backend read a cookie instead of the Authorization header)
Upvotes: 1
Related Questions
- JWT and Authorization Server
- OAuth and OpenId Connect Tokens clarification
- OIDC generalized scopes
- openid connect 2.0 and setting authentication JWT in http only cookie
- JWT security in OAuth 2.0 and OpenID Connect
- What is the OpenID Connect access token for?
- In OIDC, is scope=openid not required for /token call?
- OpenID Connect use case
- Using OpenID Connect ID token for application-to-application authentication/authorization
- OpenID Connect - Implicit Flow with Javascript app using JWT to authenticate with a REST API