In my node application for api validation,I am using BearerStrategy within passport-azure-ad package.
In the documentation, it is specified that
User sends a request to the protected web api which contains an access_token in either the authorization header or body.
Is it possible to validate an api if access token is stored in cookie header instead of authorization header?
Code is as follows:
const authenticationStrategy = new BearerStrategy(config.credentials, (token,
done) => {
let currentUser = null;
let userToken = authenticatedUserTokens.find((user) => {
currentUser = user;
user.sub === token.sub;
});
if (!userToken) {
authenticatedUserTokens.push(token);
}
return done(null, currentUser, token);
});
passport.use(authenticationStrategy);
server.get('/api/test', passport.authenticate('oauth-bearer', {
session: false
}), (req, res, next) => {
res.send({"message":"Success"});
return next();
});
So if i am passing access token in cookie header -it is not validated.. Should I use some other packages like passport-cookie? Then how can I pass azure credentials to integrate with Azure Active Directory?
Access token can also be transmitted via browser cookies. Which transport method you choose (cookie header or authorization header) depends on your application and use case. For mobile applications, headers are the way to go.
For web applications, recommend using HttpOnly cookies instead of HTML5 storage/headers, for better security against XSS attacks. It’s important to note that using cookies means that you need to protect your forms against CSRF attacks.