CORS error using PublicClientApplication #5103
Assignees
Labels
answered
Question has received "first qualified response"
public-client
Issues regarding PublicClientApplications
question
Customer is asking for a clarification, use case or information.
Comments
fmg-kevin-kilroy
added
the
question
|
@kevinkilroy MSAL and AAD don't support initiating token requests on a server and then finishing on the client. Is there a reason you can't use msal-browser (assuming you have a JS front-end) to make the token request directly from the client? |
ghost
added
answered
|
We do use msal-browser but that's initiated from a different domain, then more static content is pulled from another domain, so the 2nd domain has no knowledge of the fact that the client is already authenticated. |
ghost
added
Needs: Attention 👋
|
There's no way for MSAL to access the 302 contents because the browsers will block cross-origin requests. |
ghost
added
Needs: Author Feedback
|
yes I've reached the same conclusion, therefore I will proxy requests so they're all served from the same domain/origin and then the flow succeeds. Thanks for your input. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
1.12.0
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Public
Description
Hi,
I have a serverless function running msal-node as a PublicClientApplication which is protecting static content.
I'm using the Authorization Code Flow with PKCE.
The Client is a web-browser. When the browser requests an asset say:
https://domain-1.com/1234.js
Then the function returns the 302 redirect to the browser to the Microsoft authorize endpoint.
The problem I've run into seems to be related to CORS:
My UI is hosted on:
https://domain-2.com/
Which then requests: https://domain-1.com/1234.js
This time though, the browser handles the redirect but then blocks the response from the Microsoft authorize endpoint:
Access to script at 'https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize?client_id=f38...(redirected from 'https://domain-1.com/1234.js') from origin 'https://domain-2.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.I have added the 'Access-Control-Allow-Origin': * (and also tried https://domain-2.com) to the redirect response of the initial request to https://domain-1.com/1234.js and can see it in the browser.
The other thing I noticed is when I'm going via the single domain there is no Origin header set in the request to the microsoft authorize endpoint, however when I go across the domain, the Origin header is present in the request, but set to null.
Is it possible to call the Microsoft authorize endpoint via a CORS initiated original request?
MSAL Configuration
No response
Relevant Code Snippets
No response
Identity Provider
Azure AD / MSA
Source
External (Customer)
The text was updated successfully, but these errors were encountered: