I am trying to authenticate users in my external system when they access it via a link inside Retool. The expected behavior is that my API returns an authentication token as a cookie, and this cookie is set for my system's domain, allowing users to be logged in automatically when redirected.
- Steps:
- In Retool, I make a request to my API, sending user credentials.
- My API generates an authentication token and returns it in the response header using
Set-Cookie, specifying my system’s domain. - After receiving the response in Retool, I redirect the user to my system’s link.
- The goal is for the cookie to be stored for my system’s domain so the user remains authenticated.
However, the issue is that the cookie is being set for Retool’s domain instead. In the response header, Retool seems to append another Set-Cookie with Path=/, which causes the cookie I set to be applied to Retool’s domain instead of my system’s.
- My API response includes a
Set-Cookieheader with attributes likeDomain=my-system.com; Path=/; HttpOnly; Secure; SameSite=None. - Despite this, the cookie is stored under Retool’s domain, not mine.
- Retool seems to override or modify the response headers before they are applied in the browser.
- I need a way to ensure that the cookie is stored for my system’s domain as intended.
- I have checked Retool’s documentation but couldn't find a clear way to prevent this behavior.
I will attach screenshots showing the behavior occurring in Retool, including the request and response headers.
I would love to know if there’s a way to configure Retool to prevent this behavior or if there’s an alternative approach to achieve the expected authentication flow. Any insights, workarounds, or relevant documentation would be greatly appreciated. Thanks in advance for your help!