Azure Application Proxy - Single Page Application - CORS issue

Question

Components:

1. HTML, Bootstrap, AJAX Single Page Application (SPA) --> Deployed on-premise on tomcat 1
2. Azure Application Proxy 1 fronting SPA with pre-authentication as passthrough
3. REST API (API) --> Deployed on-premise on tomcat 2
4. Azure Application Proxy 2 fronting API with pre-authentication as Azure Active Directory
5. Microsoft MSAL Javascript library: https://github.com/AzureAD/microsoft-authentication-library-for-js

Flow:

1. User accesses SPA using Application Proxy 1 external URL eg. https://appProxy1.com/spa
2. The SPA has a sign-in button, when clicked invokes the Microsoft js MSAL library.
3. The user is presented a pop-up and upon entering credentials, is authenticated against Azure AD and an OAuth token is fetched.
4. Once authenticated successfully, the user is allowed to perform search on the SPA.
5. When the user searches, the SPA invokes the REST API using the application proxy 2 url eg. https://appProxy2.com/rest/.search
6. The REST call is blocked by browser due to CORS. It seems that Application Proxy/Azure AD is not allowing cross origin calls.

Note:

1. CORS has been enabled in the REST API code and SPA is able to invoke the REST API if Application Proxy 2 pre-authentication mode is set as passthrough.
2. I have gone through https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-understand-cors-issues. This workaround is possible if HTML application and REST service are deployed on the same application server.

Question: Is there any option to enable/configure CORS on Application Proxy.

Answer 1

Currently there is no way to configure/enable the CORS on Application Proxy.

There a user voice request for CORS App Proxy. Please feel free to up vote this user voice request.