user3211198 user3211198 - 2 days ago 7
Javascript Question

How to use access token that was saved as httpOnly cookie in authentication header?

upon authentication stormpath express sets access token as httpOnly cookie in browser but how can I get the access token from the cookie to put it in authorization header as

Authorization: Bearer ey..access_token
? The token worked when I manually did the request using curl.

Answer

The express-stormpath library uses http-only cookies by default, when you post to the /login route, as they are more secure (by preventing access from the JavaScript environment, they cannot be stolen by XSS attacks).

If you need to access the tokens from the JavaScript environment, you should make a post to the /oauth/token endpoint, and you will receive the tokens in the HTTP response body.

This workflow is described here:

https://docs.stormpath.com/nodejs/express/latest/authentication.html#oauth2-password-grant

Comments