1

For applications that authenticate users with Windows Azure Active Directory(WAAD), unable to refresh token from javascript.

All the resources are protected by Authorize attribute makes calls to login.windows.net/{0} if token is expired. If the request is from page load it works as expected but if the request is from javascript ajax call it is unable make call to login.windows.net/{0}. It returns with status 302 and message

XMLHttpRequest cannot load https://login.windows.net/xxx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'xxx' is therefore not allowed access.

How to refresh the token from javascript calls?

Shruthika Katakam
  • 11
  • 1

1 Answers1

1

It looks like you secured your web API with a method more suited for web UX. Take a look at ADAL JS for a more reliable way of dealing with javascript driven apps: http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/ For an explanation of how token renewal works, see the video linked in that post HTH V.

vibronet
  • 7,364
  • 2
  • 19
  • 21
  • I am not doing pure client side JS authentication. It is a simple MVC application with WAAD authentication and ajax call which needs users to be authorized. . – Shruthika Katakam Mar 10 '15 at 18:54
  • What I am saying is that if you don't use JS driven authentication, you will experience issues like this one. Redirect based protocols are not designed to handle token refresh. If you need both UX and API support see http://www.cloudidentity.com/blog/2014/04/28/use-owin-azure-ad-to-secure-both-mvc-ux-and-web-api-in-the-same-project/ and http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/. – vibronet Mar 10 '15 at 18:56
  • Thanks for the reply,I read through the blogs. But what I have is an MVC web app with controllers implementing System.Web.Mvc.Controller(no System.Web.Http.ApiController implementation).So it is not a mix of UX and API.The UX page has few buttons that loads data using jQuery AJAX calls, whose action methods -returning JSON- are secured using [Authorize] attributes. After WAAD login, the page & data load (using AJAX calls) works fine. But for few minutes, these calls starts to fail with above message. So are you suggesting I use ADAL JS even though I don’t do client-side login/authentication? – Shruthika Katakam Mar 16 '15 at 22:49
  • Did you ever figure out how to resolve this issue? I'm experiencing this now within my controllers and am using Azure AD authentication. – Sherman May 22 '16 at 17:25