2

I'm attempting to retrieve the Azure Authorisation code so that I can extract the access token in order to make calls to the Azure Billing API (RateCard and Usage APIs).

I'm following the oauth protocol explained by Microsoft here. My implementation is shown below. Note the redirect_uri in the params is the uri which Azure AD will redirect back to after it authenticates. However when I attempt to execute this I get the following cors error: "XMLHttpRequest cannot load "https://login.microsoftonline.com/imonlineservices.com/oauth2/authorize?res...ure.com&redirect_uri=http%3a%2f%2flocalhost%3a13333%2f&response_mode=query". No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:13333' is therefore not allowed access." as shown in Figure 2.

As I understand it this is telling me that there is no "Access-Control-Allow-Origin" header present on "login.microsoftonline.com...." which causes my request to fail due to the same-origin policy.

Now although I understand this error, I'm still confused as going by the explanation given by the link mentioned above, this should work? I'm not sure where exactly I'm going wrong here.

Method responsible for attempting to retrieve Auth code: 

  public void GetAuthorizationCode(string ClientId)
    {
        var @params = new NameValueCollection
        {
            {"response_type", "code"},

            { "client_id", ClientId},

            {"resource", "https://management.azure.com"},

            { "redirect_uri", "http://localhost:13333/"}
        };

        var queryString = System.Web.HttpUtility.ParseQueryString(string.Empty);
        queryString.Add(@params);

        Response.Redirect(String.Format("https://login.windows.net/common/oauth2/authorize?{0}", queryString));
    }

UPDATE

When pasting the redirect request directly into the browser this ..."https://login.windows.net/common/oauth2/authorize?{0}", queryString".. login.windows.net returns the response (code) back to my application as a query string parameter as shown in Figure 1. below, which indicates to me that all the necessary Azure configuration has been completed correctly and error simply lies with how I'm attempting to retrieve this code.

Figure 1: Successful redirect from azure to my application with code in query string. success

raah
  • 158
  • 12
  • The CORS error in figure 2 is due to login.windows.net not sending the `Access-Control-Allow-Origin` response header. So it doesn’t matter how you have CORS configured on your own server, because that’s not causing the error – sideshowbarker Mar 22 '17 at 12:39
  • 1
    By the way, if you want people here to take time to try to help you, it’s not a good idea to post screen grabs of your sources and errors, etc. Instead take the time yourself to copy the text of sources and the error messages and paste them in here so people can read them normally – sideshowbarker Mar 22 '17 at 12:41
  • The only thing I can glean from all this is that for some reason you’re trying to send an authentication request to login.windows.net from client-side JavaScript in your web app. I don’t know what’s the right way to do authentication through login.windows.net but it seems pretty clear the way you’re trying to do it is probably not the right way, and so you might want to spend some time reading some Windows developer docs and researching what the supported way is that Microsoft provides for doing whatever it is you’re trying to do – sideshowbarker Mar 22 '17 at 12:45
  • Apologies I thought the screen grabs were the cleanest option. I'll update the post to include the code. – raah Mar 22 '17 at 13:22
  • I've spent some time going over the tutorials provided by Microsoft and read around the oauth protocol, the tutorials around the billing api are for desktop application and their methods for obtaining the access token do not work on published applications. So I attempted to use a method shown in Microsofts "integrate a powerbi report into a web application" tutorials which I've successfully used before. – raah Mar 22 '17 at 13:26
  • The only thing JavaScript is doing is making a call to the server side method called GetAuthorizationCode. The server side code is responsible for redirecting to login.windows.net to authenticate which then redirects back to my application with the auth code. – raah Mar 22 '17 at 13:29
  • OK but unless the responses you’re getting from the Microsoft servers include the `Access-Control-Allow-Origin` response header with a value allows your app’s origin, there is no way that browsers will allow your client-side JavaScript code to access the response. Specifically, the error message you posted indicates your request is getting redirected to login.microsoftonline.com and that server is not including the `Access-Control-Allow-Origin` header in its response. – sideshowbarker Mar 22 '17 at 13:30
  • I've added an update section above. In this scenario would you still expect the cors error to still occur based on what you've said about the Access-Control-Allow-Origin header? – raah Mar 22 '17 at 14:06
  • I dunno. But when you paste a URL directly into your browser address bar and it redirects successfully that doesn’t mean it will necessarily work when you make a request to the same URL from JavaScript. Because browsers do not enforce and cross-origin/CORS restrictions when you manually browse to some URL in your browser yourself. But browsers do enforce cross-origin/CORS restrictions on request made from JavaScript in your web applications – sideshowbarker Mar 22 '17 at 14:20
  • I've included a link to a page explaining the oauth protocol I'm attempting to make use of. Hopefully this shed some light onto where I may actually be going wrong. As I'm fairly confident that I'm not going about this the wrong way, and If I am well hopefully this'll make it clear. – raah Mar 27 '17 at 09:16

0 Answers0