I've noticed that for the registration endpoint when I try to create a user and registration https://fusionauth.io/docs/v1/tech/apis/registrations#create-a-user-and-registration-combined It returns the access and refresh token but they are not set as HTTPOnly cookies. Whereas when I login https://fusionauth.io/docs/v1/tech/apis/login#authenticate-a-user or using identity provider https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login I get both the access and refresh token set as HTTPOnly cookies. So why does registration not have this? I want to be able to set my refresh token in a http only cookie after the user registers. In this case, would I need to make another request to the login end point right after registration to set a HTTPOnly cookie with the token? If that is the case, why am i getting the access and refresh token back from the registration call in the first place? Any insight will be greatly appreciated. Thanks!
Best posts made by nearat
-
Why does the registration endpoint not set HTTPOnly Cookies with Refresh Token like the Login Endpoint?
Latest posts made by nearat
-
Why does the registration endpoint not set HTTPOnly Cookies with Refresh Token like the Login Endpoint?
I've noticed that for the registration endpoint when I try to create a user and registration https://fusionauth.io/docs/v1/tech/apis/registrations#create-a-user-and-registration-combined It returns the access and refresh token but they are not set as HTTPOnly cookies. Whereas when I login https://fusionauth.io/docs/v1/tech/apis/login#authenticate-a-user or using identity provider https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login I get both the access and refresh token set as HTTPOnly cookies. So why does registration not have this? I want to be able to set my refresh token in a http only cookie after the user registers. In this case, would I need to make another request to the login end point right after registration to set a HTTPOnly cookie with the token? If that is the case, why am i getting the access and refresh token back from the registration call in the first place? Any insight will be greatly appreciated. Thanks!