CORS error using PublicClientApplication #5103
Labels
answered
Question has received "first qualified response"
public-client
Issues regarding PublicClientApplications
question
Customer is asking for a clarification, use case or information.
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
1.12.0
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Public
Description
Hi,
I have a serverless function running msal-node as a PublicClientApplication which is protecting static content.
I'm using the Authorization Code Flow with PKCE.
The Client is a web-browser. When the browser requests an asset say:
https://domain-1.com/1234.js
Then the function returns the 302 redirect to the browser to the Microsoft authorize endpoint.
The problem I've run into seems to be related to CORS:
My UI is hosted on:
https://domain-2.com/
Which then requests: https://domain-1.com/1234.js
This time though, the browser handles the redirect but then blocks the response from the Microsoft authorize endpoint:
Access to script at 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?client_id=f38...(redirected from 'https://domain-1.com/1234.js') from origin 'https://domain-2.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have added the 'Access-Control-Allow-Origin': * (and also tried https://domain-2.com) to the redirect response of the initial request to https://domain-1.com/1234.js and can see it in the browser.
The other thing I noticed is when I'm going via the single domain there is no Origin header set in the request to the microsoft authorize endpoint, however when I go across the domain, the Origin header is present in the request, but set to null.
Is it possible to call the Microsoft authorize endpoint via a CORS initiated original request?
MSAL Configuration
No response
Relevant Code Snippets
No response
Identity Provider
Azure AD / MSA
Source
External (Customer)
The text was updated successfully, but these errors were encountered: