I'm currently working on an autologin feature. The idea is that users can sign in to partner apps with one credential. For this we use the authorization header. I have tried a few different ways to try implement this feature, but without much luck.
In short: I need to send an Authorization header and i am expecting a set-cookie response header. All is going well when i'm making this call in postman, but not when making this call like a user would in the browser. I need the client to be logged in
This is what i have tried so far:
$.ajax({
url: authUrl,
type: 'get',
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'Bearer ' + jwt);
xhr.withCredentials = true;
xhr.crossDomain = true;
},
success: function (response, status, xhr) {
if (xhr.status !== 200) {
//Some error handling
return;
}
window.open(form.attr('action'));
});
The code above does not set a cookie and has no Set-Cookie response header. Presumably due to security conciderations.
//With PHP + Guzzle
$jar = new CookieJar();
$client = new Client();
$response = $client->get($qlikSense->getEndpoint(), [
'headers' => ['Authorization' => "Bearer {$jwt}"],
'cookies' => $jar,
]);
foreach ($jar->toArray() as $cookie) {
setcookie($cookie['Name'], $cookie['Value'], 0, $cookie['Path'],$domain, false, false);
}
I tried to make a curl/guzzle call and get the set-cookie header from there. This did not work as well and likly also due to (obvious) security risks.
My final try was the following:
header("Accept: */*");
header("Authorization: Bearer {$jwt}");
header("location: {$domain}");
The code above just said that it was missing the authentication header, but it did redirect.
Any input or pointers would be much appreciated
Aucun commentaire:
Enregistrer un commentaire