Should I be using an httponly Cookie or is it ok to use Authorization header with my Web Socket project?

I have a simple websocket project using the Auth0 React library…

If you wire that up with your Auth0 info

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ...
          audiences:
            - ...
app:
  auth:
    client-id: ...
    scope: "openid profile read:transactions"

You should see it work, however, I am following the instructions and instead of a secure http-only cookie it is having me manually inject the tokens in the headers. I am not opposed to this as I have good XSS measures but is that really the only way? Also, if I am passing an access token can I pass the opaque one and then grab the user info using the token in the backend like in the AuthenticationProvider or something?

Hi @jackiegleason

Thank you for posting your question on the community!

Unfortunately, you cannot set the cookies as a HTTP-Only cookie since they are required by the frontend SDKs to function properly. If these cookies were set as HTTP-Only, they would be inaccessible by JS and thus inaccessible by the SKDs. You would need to move your authentication to the backend in order for it to create and manage its own session with the browser using cookies which can be HTTP-Only. You can check our documentation for BackEnd Quickstarts.

Also, I am not sure if passing an opaque token would be a viable workaround for this issue, however you can give it a try. Since you will be handling it in the backend, it might just work, however, I am not 100% sure about this approach.

If you have any other questions, feel free to let me know!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.