Pass JWT into http headers and open another Tab with url (and headers) from another Domain

Question

I have 2 distinct web Apps (app1 and app2).

Each one is on its own domain.

App1 requests the API of app2 to get JWT back.It works fine.

Then i need a way to open a new tab with url of app2 and pass the JWT, so that app2 could store the JWT into localstorage, and display data.

I ve tried to pass it in headers but i m facing CORS error.

It seems that using IFrames would create a CORS issue too.

I could pass the JWT into URL query params, but i ve read it was not recommended.

Could you help me find a way to solve that problem?

Answer 1

You can't do that in your browser right-away because of CORS, as you also observed.

Passing it as a GET parameter would work but it's not very safe either.

So, you need to pass it in the headers, as you originally planned. But, given your scenario, with opening a new tab, you stumble into the CORS issue.

Hence, this is how you can do it:

• app1 requests app2 to get JWT back
• app1 opens a new tab, passing a url to app1
• this page on app1 redirects to app2 and passes JWT in the header

You will not stumble into CORS in this scenario, because the new tab app1 opens will load an app1 page and that will validly redirect to app2.

---

A small observation:

It is up to you how you are going to handle JWT, but I would recommend not storing JWT in the localStorage to reduce the chance of it being leaked. Instead, I would create a session to app2 normally via the JWT.