最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - CORS issue when getting a token in Azure AD B2C (Implict Flow) - Stack Overflow

programmeradmin2浏览0评论

We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (/{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS call) to determine if it can call the endpoint as it is on a different domain. The OPTION call works but it does not contain the required headers (Access-Control-Allow-Origin) for the browser to allow the POST call to the endpoint.

Am I missing something or doing something wrong?

Any help appreciated!

Jon

We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (https://github./Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline./{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS call) to determine if it can call the endpoint as it is on a different domain. The OPTION call works but it does not contain the required headers (Access-Control-Allow-Origin) for the browser to allow the POST call to the endpoint.

Am I missing something or doing something wrong?

Any help appreciated!

Jon

Share Improve this question edited Dec 10, 2015 at 14:40 Jon asked Dec 10, 2015 at 11:11 JonJon 4,2956 gold badges49 silver badges56 bronze badges 3
  • It seems implicit flow is not yet supported, see azure.microsoft./en-us/documentation/articles/… – Bojan Resnik Commented Dec 10, 2015 at 13:08
  • @BojanResnik Yes I saw this although everything about the UI and other documentation suggests otherwise. – Jon Commented Dec 10, 2015 at 14:01
  • According to MS doc you can simply set your app as SPA and the CORS issue will be gone. learn.microsoft./en-us/azure/active-directory/develop/… – WolfRevo Commented Jun 23, 2021 at 15:44
Add a ment  | 

1 Answer 1

Reset to default 6

The Azure AD auth endpoints (B2C or otherwise) don't support CORS, nor will they ever.

For Javascript apps, we use the implicit flow with response_type=token or response_type=id_token to get tokens directly from the authorize endpoint - no CORS necessary. Feel free to try it out, it should work just fine.

The reason we say Javascript apps are unsupported right now is because after one hour, the id_token/access_token you get using this method will expire. And we don't have a way to refresh/get a new token silently. This means in the best case, your Javascript app will have to redirect to AAD every hour.

We don't think that's acceptable, so we're working on a feature that will solve this problem. But for now we'll continue to call Javascript apps unsupported.

发布评论

评论列表(0)

  1. 暂无评论