If a JWT is not included in the Authorization header or a query string, attempt to get a JWT from an HTTP only cookie.