1. The service will always return 200. What one would be looking at is the "Set-Cookie" header of the response.
2. If the call is successful, the server will return a response containing "Set-Cookie" with the appropriate value, which then can be used and set into the API calls:
var cookiesToSet = response.Headers.GetValues("Set-Cookie");
this.Cookies.SetCookies(this.BaseAddress, string.Join(", ", cookiesToSet));
3. What happens when we don't supply the JWT token at all?
- One can test that by commenting out
this.DefaultRequestHeaders.Add(SitefinityClient.AuthorizationHeader, "Bearer " + tokenResponse.AccessToken); on line 77 of AuthenticateSitefinity.cs *
The request will still go through, with 200 and Set-Cookie value will still be set.
However, on the server, the Identity will return Anonymous, and the requests will return "User Not Found", i,e the requests will not pass. The OOTB o-data services will return 401.
4. Since Sitefinity is checking if a user is already logged in before issuing a cookie, one should always perform one of the two things:
4.1 Either use ?forceLogin=true parameter, which will overcome the current user (line 147 on SitefintiyClient.cs) and get a new JWT token.
4.2 Always Logout the client after done performing some operation (line 31 on AuthenticateSitefintiy.cs)
If the user is still logged in, upon trying to get the cookie, the user will get the dialog which is "Are you sure you want to log the user out" and the cookie will be set as if the user is not logged in. (This can be changed in Security Settings -> 'Disable the limit of active simultaneous backend users' set to true, but it is not recommended using it at all)
*The files can be found in the attachment related to 000082866.