Bearer Token getting possibly dropped?

I have a custom AuthProvider for validating JWTs from Azure Active Directory.

Using the JsonServiceClient, I am setting the bearer token to that of the access token received from AAD. Authentication into the APIs is working as well.

Here is the strange situation. When both the APIs and my web app are on my local host, everything works fine.
When both are hosted in Azure, everything works fine. Now when my web app is run locally and the api is in azure, I get an authenticationrequired error message. I have confirmed that the bearer token is getting set, but it seems to not be making it to the api. Now if take said access token and submit a request via Postman it works just fine.

All of my code is targeting .net 4.7.1. I am using the same code, in all scenarios, the only thing that is changing is the api end point.

Any one seen this issue before or have any idea what may be causing this?

What do you mean by dropped, is it a token cookie that’s no longer being sent with the request?

Are you looking at the raw HTTP Headers to determine its no longer being sent? Can you provide a trace of the raw HTTP Headers which show the last request where it was sent and the HTTP Headers just after where it’s no longer being sent.

This is the auth response.

and this is the cookie in the application

On https and inprivate everything work fine…

The set-cookie instruction for ss-tok cookie looks ok, show the Request headers for a subsequent request.

The ss-tok cookie is a “HTTP Only” cookie that’s not accessible via JS within the web page, so it’s only going to be “visible” by the server when requests are made, so you need to look at the HTTP Request headers of subsequent requests to the same domain.

The next request does not contain the ss-tok cookie…
It isn’t set inside cookie. So the request fail becouse of missing auth information…

Please show the full HTTP Request headers, it’s better if you use something like Fiddler to capture the Raw HTTP Request so you can see the raw Request Headers in plain-text as it’s sent.

Make sure the request is for the same domain as the Auth Response.