public async Task <IActionResult> AuthByApiKey([FromQuery] string apiKey, [FromQuery] string redirectURL = null) { var secure = _settings.CookieSecure ? "Secure;" : ""; var expires = _settings.CookieExpiryDays == 0 ? "" : $"Expires={DateTime.UtcNow.AddDays(_settings.CookieExpiryDays).ToString("ddd, dd MMM yyyy HH:mm:ss 'GMT'")};"; var user = User.Identity; // Auth user if (user == null) { if (String.IsNullOrWhiteSpace(redirectURL)) { return(BadRequest()); } Response.Headers.Add("Set-Cookie", $"{_settings.TokenName}={false}; Domain={_settings.CookieDomain}; SameSite={_settings.SameSite}; Path={_settings.CookiePath};{secure} HttpOnly"); return(Redirect(redirectURL)); } var client = await _dataRepository.GetClientByApiKey(apiKey); // Auth API Key if (client == null) { if (String.IsNullOrWhiteSpace(redirectURL)) { return(BadRequest()); } Response.Headers.Add("Set-Cookie", $"{_settings.TokenName}={false}; Domain={_settings.CookieDomain}; SameSite={_settings.SameSite}; Path={_settings.CookiePath};{secure} HttpOnly"); return(Redirect(redirectURL)); } var token = _jwtHelper.Create(user, client.Audience, client.AppGroupRegexes); Response.Headers.Add("Set-Cookie", $"{client.TokenName}={token};{expires} Domain={client.CookieDomain}; SameSite={_settings.SameSite}; Path={client.CookiePath};{secure} HttpOnly"); if (String.IsNullOrWhiteSpace(redirectURL)) { return(Ok()); } return(Redirect(redirectURL)); }