Token Generation from Azure AD Fails with Error AADSTS9002326

Question

I have Registered two apps in Azure AD; One being the Server and the other being the Client as one set. There are two sets created; One set for Production and the other being for UAT. Client Apps are types of "Web" and none being as SPA.

Production Server App is almost a clone of the UAT Server App. And Production Client App is almost a clone of a UAT CLient app.

Consumers use Client Apps to get tokens by using the OAuth 2.0 token endpoint (v2) https://login.microsoftonline.com/[--Tenant--]/oauth2/v2.0/token as Client Credential Flow with a Secret. The token generated is used as a bearer token to Authorize my Web API.

On the Production Client App, it returns an error when retrieving Token from Token endpoint and it read as:

AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application'

Whats Bizzare here is:

1. Production Client App can get Token from Public Network (Internet), but not in Internal Network (Having Internet access)
2. UAT Client App produces Tokens from Public and Internal Networks (Having Internet access).

With such facts, it's not rational to say that there is a network restriction in the Production Consumer site. I am clueless on why App is not producing tokens in Internal networks but in Public networks, whereas the UAT Apps have no issue in producing Tokens irrespective of the environment.

This case almost elaborates my case but I have checked mine, where Client App is Public and Server App is Private.

Where to search? What areas to looking to?

Answer 1

In case someone else encounters this error, check the URIs type in the Manifest file to be Spa and NOT Web. Even if you have set the platform in Authentication to Single-page applications, the URIs type might still be set to Web which will cause this error.