1
votes

When I call the OWIN /token endpoint I get the bearer token in the response and a set-cookie header that has a token. Are these tokens the same? If not how do I make them the same?

1

1 Answers

2
votes

No they are not the same, the token you receive is the access token needed to access your protected API (APIs attribute with [Authorize]) and contains all the claims you want to encode inside it.

I've not seen token inside cookie returned when you call /token end point. Anyhow you usually depend on tokens or cookies for security not both.