Getting CORS error when I am making Ajax request to /common/oauth2/v2.0/token

Question

Getting CORS error when I am making Ajax request to https://login.microsoftonline.com/common/oauth2/v2.0/token from my application.

Below is the code sample that I am using:

var inputData = {
    'grant_type': 'authorization_code',
    'code': '<codeValue>',
    'redirect_uri': '<returnUrl>',
    'client_id': '<client_id>',
    'client_secret': '<client_secret>'
};

$.ajax({
    url: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
    type: 'post',
    contentType: 'application/x-www-form-urlencoded',
    dataType: 'application/json',
    data: inputData,
    success: function (data, text) {
        console.log(data.access_token);
    },
    error: function (data, status, error) {
        console.log('failed');
    }
});

Browser console is showing below error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://login.microsoftonline.com/common/oauth2/v2.0/token. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

I would like to know how to get ride of CORS error.

Answer 1

You shouldn't use the Authorization Code Flow to do client-size authentication. It would require that you provide the Client Secret as you're doing here and that is a big no-no.

If you need to handle authentication entirely on the client-size, you need to use the Implicit Flow (aka Client-Side Flow). This allows you to authenticate without passing a client secret and doesn't use a second-stage POST to obtain the token.

I wrote a walk through for how Implicit works that you might find helpful as well: v2 Endpoint and Implicit Grant