I’m playing around with Jwts and have it working. I had a couple questions:
When /session-to-cookie is called, is there a reason that the ss-id, ss-pid, and ss-opt cookies remain? Shouldn’t ss-tok be the only one that is needed?
Is there a way within my service layer to always perform the equivalent of /session-to-cookie, instead of relying on the UI to do it? (use case - user logs in with Credentials Auth or Okta, but we always want to use Jwts).
The ss-id/ss-pid cookies always exists to identify connected clients, i.e. you could save information in session bags against these identifiers if you want to.
If you use JWT, the authentication is encapsulated in the stateless ss-tok cookie.
Did you mean /session-to-token? This can also be called with the ConvertSessionToToken Request DTO.
If you use CredentialsAuthProvider and have JWT Auth Provider configured it should automatically convert sessions into JWT Token Cookies (default in v6+).