We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (/{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS call) to determine if it can call the endpoint as it is on a different domain. The OPTION call works but it does not contain the required headers (Access-Control-Allow-Origin) for the browser to allow the POST call to the endpoint.
Am I missing something or doing something wrong?
Any help appreciated!
Jon
We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (https://github./Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline./{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS call) to determine if it can call the endpoint as it is on a different domain. The OPTION call works but it does not contain the required headers (Access-Control-Allow-Origin) for the browser to allow the POST call to the endpoint.
Am I missing something or doing something wrong?
Any help appreciated!
Jon
Share Improve this question edited Dec 10, 2015 at 14:40 Jon asked Dec 10, 2015 at 11:11 JonJon 4,2956 gold badges49 silver badges56 bronze badges 3- It seems implicit flow is not yet supported, see azure.microsoft./en-us/documentation/articles/… – Bojan Resnik Commented Dec 10, 2015 at 13:08
- @BojanResnik Yes I saw this although everything about the UI and other documentation suggests otherwise. – Jon Commented Dec 10, 2015 at 14:01
- According to MS doc you can simply set your app as SPA and the CORS issue will be gone. learn.microsoft./en-us/azure/active-directory/develop/… – WolfRevo Commented Jun 23, 2021 at 15:44
1 Answer
Reset to default 6The Azure AD auth endpoints (B2C or otherwise) don't support CORS, nor will they ever.
For Javascript apps, we use the implicit flow with response_type=token or response_type=id_token to get tokens directly from the authorize endpoint - no CORS necessary. Feel free to try it out, it should work just fine.
The reason we say Javascript apps are unsupported right now is because after one hour, the id_token/access_token you get using this method will expire. And we don't have a way to refresh/get a new token silently. This means in the best case, your Javascript app will have to redirect to AAD every hour.
We don't think that's acceptable, so we're working on a feature that will solve this problem. But for now we'll continue to call Javascript apps unsupported.