10

We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS call) to determine if it can call the endpoint as it is on a different domain. The OPTION call works but it does not contain the required headers (Access-Control-Allow-Origin) for the browser to allow the POST call to the endpoint.

Am I missing something or doing something wrong?

Any help appreciated!

Jon

Jon
  • 4,295
  • 6
  • 47
  • 56
  • It seems implicit flow is not yet supported, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-apps/ – Bojan Resnik Dec 10 '15 at 13:08
  • @BojanResnik Yes I saw this although everything about the UI and other documentation suggests otherwise. – Jon Dec 10 '15 at 14:01
  • According to MS doc you can simply set your app as SPA and the CORS issue will be gone. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#redirect-uri-setup-required-for-single-page-apps – WolfRevo Jun 23 '21 at 15:44

1 Answers1

6

The Azure AD auth endpoints (B2C or otherwise) don't support CORS, nor will they ever.

For Javascript apps, we use the implicit flow with response_type=token or response_type=id_token to get tokens directly from the authorize endpoint - no CORS necessary. Feel free to try it out, it should work just fine.

The reason we say Javascript apps are unsupported right now is because after one hour, the id_token/access_token you get using this method will expire. And we don't have a way to refresh/get a new token silently. This means in the best case, your Javascript app will have to redirect to AAD every hour.

We don't think that's acceptable, so we're working on a feature that will solve this problem. But for now we'll continue to call Javascript apps unsupported.

dstrockis
  • 1,173
  • 5
  • 6
  • Thank you for the reply - we realised that our C# code was a bit wrong so it is all working as expected now. – Jon Dec 11 '15 at 13:41
  • Is there any update over this, I am going through same issue and facing preflight cross origin issue. – Chandan Gawri Aug 25 '17 at 08:09
  • what if you're using authorisation code grant with PKCE from browser-based apps (which is draft BCP at time of this reply - see https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-04)? Do I not need to use the token endpoint for this scenario? – Ryan.Bartsch Nov 01 '19 at 00:12
  • @dstrockis Any progress on this now that the current best practice for javascript apps / SPA's is to use Authorization Code with PKCE over Implicit flow? – Søren Høyer Kristensen Jan 27 '20 at 08:43
  • This github issue relates to implementing Authorization Code with PKCE. INCLUDING CORS UPDATES -> https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1000 – JsAndDotNet Mar 18 '20 at 13:43