When I call the OWIN /token endpoint I get the bearer token in the response and a set-cookie header that has a token. Are these tokens the same? If not how do I make them the same?
1
votes
1 Answers
2
votes
No they are not the same, the token you receive is the access token needed to access your protected API (APIs attribute with [Authorize]) and contains all the claims you want to encode inside it.
I've not seen token inside cookie returned when you call /token end point. Anyhow you usually depend on tokens or cookies for security not both.
