3

I have Registered two apps in Azure AD; One being the Server and the other being the Client as one set. There are two sets created; One set for Production and the other being for UAT. Client Apps are types of "Web" and none being as SPA.

Production Server App is almost a clone of the UAT Server App. And Production Client App is almost a clone of a UAT CLient app.

Consumers use Client Apps to get tokens by using the OAuth 2.0 token endpoint (v2) https://login.microsoftonline.com/[--Tenant--]/oauth2/v2.0/token as Client Credential Flow with a Secret. The token generated is used as a bearer token to Authorize my Web API.

On the Production Client App, it returns an error when retrieving Token from Token endpoint and it read as:

AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application'

Whats Bizzare here is:

  1. Production Client App can get Token from Public Network (Internet), but not in Internal Network (Having Internet access)
  2. UAT Client App produces Tokens from Public and Internal Networks (Having Internet access).

With such facts, it's not rational to say that there is a network restriction in the Production Consumer site. I am clueless on why App is not producing tokens in Internal networks but in Public networks, whereas the UAT Apps have no issue in producing Tokens irrespective of the environment.

This case almost elaborates my case but I have checked mine, where Client App is Public and Server App is Private.

Where to search? What areas to looking to?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
hiFI
  • 1,887
  • 3
  • 28
  • 57
  • 1
    What API are you using to get the token? Is it possible the API is adding an Origin: header? In my testing, if you have any Origin at all (even null), you'll get this error. – Mike Kaply Jul 08 '21 at 22:23
  • I m using `OAuth Token Endpoint (V2)` which is https://login.microsoftonline.com//oauth2/v2.0/token. I call this URL directly to get the token without being called from another app. Our Testing is in Postman so far. The `Origin` you are referring here is a header attribute in the HTTP Request? – hiFI Jul 09 '21 at 06:57
  • Yes, header attribute in the HTTP request. Is there an easy way for you to look at the request over the wire and see if there is an Origin header being added to the HTTP request to the token endpoint? – Mike Kaply Jul 09 '21 at 19:09
  • @mike-Kaply I don’t have an easy way. I need to ask my client to check it. Probably they will need to place interceptors in their channels. Postman interceptors or Fiddler. However is there any instances that this header being inserted by some sources other than my app after a HTTP request is sent? – hiFI Jul 11 '21 at 02:08
  • As far as I know, no. It would be inserted by your app based on the API you are using to send the request. – Mike Kaply Jul 12 '21 at 18:24
  • [This gave me some insight](https://www.gitmemory.com/issue/AzureAD/microsoft-authentication-library-for-js/3273/803462890) It already says about duplicate `redirect URIs` and there is some logic behind it. However, what's confusing here is that I have the same `redirect URIs` but all of them are types of `Web` and **NOT** `SPA` – hiFI Jul 13 '21 at 04:11

1 Answers1

5

In case someone else encounters this error, check the URIs type in the Manifest file to be Spa and NOT Web. Even if you have set the platform in Authentication to Single-page applications, the URIs type might still be set to Web which will cause this error.

selected
  • 764
  • 2
  • 10
  • 19