I'm trying to call https://my-office-site.com/TokenAddin, which is where the Java servlet I need is located, inside an Outlook add-in, and I have no idea why it keeps redirecting me to other URLs. I'm using XMLHttpRequest to make the calls.
If I call the site from a browser it works as it should: it redirects to an Office login URL, automatically logs in, as I'm logged in already on the browser, and comes back to https://my-office-site.com/TokenAddin.
If I call it from the add-in though, it redirects to https://my-office-site.com/index.jsp?path=%2Fnubbius%2FTokenAddin and gets blocked by CORS policy, which is very weird to me because:
I have added the header
'Access-Control-Allow-Origin' : '*'to every servlet in my company and tohttps://my-office-site.com/index.jsp, and whenever I call them directly from the browser I can see that those headers are effectively there.If I call
https://my-office-site.com/index.jsp?path=%2Fnubbius%2FTokenAddindirectly from the browser it just sends me back to what I wanted in the first place,https://my-office-site.com/TokenAddin.
I've then tried to call instead https://my-office-site.com/index.jsp?path=%2Fnubbius%2FTokenAddin inside the add-in, but it redirects to this monster: https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=8613bd0c-93a9-46a3-a697-dd9ce9358f4f&client_secret=7lthp5nTenUOOW4uug4iEfe2x%2Fpxh8LwTZ%2FcSwPX%2F4A%3D&redirect_uri=https%3A%2F%2Fdodespacho.nubbius.com%2Fnubbius%2FO365OpenIDCallBack&state=2a25c9dc-fff5-4603-a755-3a0c9e92d499&nonce=b724a92a-d50b-4df2-a28e-5079ba858047&response_mode=form_post, which is obviously blocked again by CORS policy.
What am I doing wrong, or what do I not know? Is there a way to keep the add-in from redirecting to different URLs or to know where it's going to redirect?
