I have an authentication workflow as follows:
- From the client I send encrypted user and password credentials in
x-authorizationheader in a request to API entpointexample.net/login - the response of this request sends back authorization cookies set with
set-cookiein the header. - The cookies are used in a subsequent request to
example.net/user, where the endpoint validates the cookies.
Now, with current and upcoming policies regarding Third Party Cookies, the cookies set and forwarded via first response get blocked by modern browsers (it seems) and the endpoint example.net/user returns a 401 status code. It works when the user enables third party cookies in their browser.
Is there still any way of cookie based authorization possible, or any alternative authorization flow at all, without forcing the user to enable cookies in their browsers?
I tried setting the cookies manually in the client via javascript, since the first request also has the cookies as json in its response data. But nothing works so far.