Send JWT via cookie instead of redirect query param
A short lived cookie is set for the temporary JWT. The cookie will be deleted once the token is manually refreshed. Because the API's callback isn't directly called by the frontend, it doesn't have access to the response. I found three options to pass authentication to the frontend: via URL (query param/fragment identifier), JavaScript in the callback response or a short lived cookie. The cookie is easy to implement and doesn't require any knowledge about the frontend.
Showing
- src/main/java/de/thm/arsnova/controller/AuthenticationController.java 14 additions, 1 deletion...a/de/thm/arsnova/controller/AuthenticationController.java
- src/main/java/de/thm/arsnova/security/LoginAuthenticationSucessHandler.java 13 additions, 8 deletions...hm/arsnova/security/LoginAuthenticationSucessHandler.java
- src/main/java/de/thm/arsnova/security/jwt/JwtTokenFilter.java 33 additions, 12 deletions...main/java/de/thm/arsnova/security/jwt/JwtTokenFilter.java
Please register or sign in to comment