Code flow PKCE with OIDC and Azure AD get cors error on /token endpoint

Question

I saw that the new recommendations (since mid 2019) is to use code flow with PKCE instead of the implicit flow for SPAs. I have an angular spa that uses OIDC client and works fine until it calls the /token endpoint that return a cors error

Access to XMLHttpRequest at 'https://login.microsoftonline.com/xxx/oauth2/token' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested

Is there a way to overcome this error or is there a way to configure Allowed Origins (CORS) in Azure AD or am I doing something wrong?

Are you integrating B2C using any MSAL package or doing manually? did you follow any doc? — Ramakrishna, Mar 30 '20 at 10:37
Not yet. I saw that MSAL alfa 2.0 will have support for it but i am not sure how it works since there is no way to configure allow origins in azure. — EchoRo, Apr 06 '20 at 06:40

score 2 · Accepted Answer · answered Mar 31 '20 at 02:43

2

There is no way to configure Allowed Origins in Azure AD.

So there are two solutions for you:

1.Use MSAL.js with Azure AD B2C.

2.Call the /token endpoint in your server, then you can makes the request to your server.

Reference:

No 'Access-Control-Allow-Origin' header with Microsoft Online Auth

answered Mar 31 '20 at 02:43

Tony Ju

14,891
3
17
31

this no longer holds true. According to MS doc you can simply set your app as SPA and the CORS issue will be gone. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#redirect-uri-setup-required-for-single-page-apps – WolfRevo Jun 23 '21 at 15:36

Code flow PKCE with OIDC and Azure AD get cors error on /token endpoint

1 Answers1