https://www.ory.sh/ logo
Join Slack
Powered by
This message was deleted.
# general
m
This message was deleted.
p
Hi @abundant-iron-97254 You need to include the cookies per request from the frontend to your backend. Usually you would have a gateway proxy or a middleware in front of your backend API extracting the cookie from the header and checking it against Ory. Since the session is issued for the browser, you do not need another for the backend. With native applications such as mobile apps or native desktop apps, you would use a token instead of a cookie.
a
@proud-plumber-24205 Thanks, will try that. Just for clarification, the cookie content is not the session id, right? What's then in the cookie? Also, if I wanted to send a header for authentication instead of the cookie, how would I get the needed value in the Frontend?
p
The session Id is the uuid for the session, not the session value itself. the cookie contains the session value which is issued by Ory and can then later be checked. Since this is an httpOnly cookie the values cannot be extracted on the frontend with JS so you cannot manually manage the cookie itself, rather you allow the browser to manage it for you. I would recommend sticking with the cookie and if you need a token on the backend, do a mutation within a separate service to get a JWT you can work with within your services. https://www.ory.sh/docs/security-model
👍 1
a
Alano, thanks for your reply. I managed to send the cookies from the SPA to my backend. However the validation in the backend using ory.ToSessionAsync(cookieContent) fails. To track down the issue I tried to validate the session manually using postman, but even that fails. Here's step by step what I manually tried.
Here's step by step what I manually tried 1. Using Chrome dev tools get the content of the ory_session_<project> cookie (see first attached image) 2. Using Postman create a GET request to http://localhost:4000/sessions/whoami
Postman request fails with HTTP 401. What am I doing wrong? Ory CLI tunnel is running with 
npx @ory/cli tunnel --project <my project name> --dev <http://localhost:3000>
Sorry for the multiple posts, I am done now. Had some issues with Slack. Looking forward to your reply.
@proud-plumber-24205 Sorry, not sure if I have to mention you or you are automatically notified about my update above. Just mentioning you to be sure ;)
p
Hi @abundant-iron-97254, The cookie value isn't a Bearer token and cannot be used in postman as such. You need to add it to postman as a cookie value https://learning.postman.com/docs/sending-requests/cookies/
Not sure what backend langauge you are using, but we have an example application in typescript (Express) https://github.com/ory/kratos-selfservice-ui-node/blob/master/src/pkg/middleware.ts#L69
here you can see we are passing along the cookie from the request to Ory in the middleware
Ah i see, you are using ASP .NET
a
@proud-plumber-24205 Thank for your help here, got Postman working with a cookie and that also gave me the idea what was wrong in the backend: I only gave the value of the cookie to the 
ory.ToSessionAsync
method instead of cookiename=value as a string. Now everything works. Though I'm glad I could read in the channel that JWTs are on their way to Ory :-)
6 Views
Open in Slack
PreviousNext
Powered by