Reputation: 1
Azure App Proxy and SPA application using MSAL causes:AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application'
Azure App Proxy and SPA application using MSAL causes error: AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
I'm trying to access a SPA application using MSAL authentication with Azure AD. For this we have created a App Registration in Azure.
When combining the Azure App Registration with an Azure Application Proxy we get this error:
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
When creating the App Proxy both a Web and SPA application exist in the Application Registration in Azure and I'm thinking this is causing Cross-Origin error as only SPA applications use that method.
Does anyone know how to configure Azure for this scenario?
I have clarified in the image what happens when running both App Registration and APP Proxy. Azure creates both a Web and a SPA app registration with a redirect URI.
Upvotes: 0
Views: 923
Answers (1)
Reputation: 15544
I created an Azure AD Application and used the below endpoint to authorize users:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
&code_challenge=CodeChallenge
&code_challenge_method=S256
Now, I tried to generate the access token via Postman using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:https://graph.microsoft.com/.default
grant_type:authorization_code
code:code
code_verifier:S256
redirect_uri:https://jwt.ms
But I got the error like below:
The error usually occurs if the application is not configured as SPA.
To resolve the error, make sure to add the redirect URI under Single page application like below:
After configuring the above changes, I am able to generate the access token like below:
Make sure to add origin under the Headers tab:
If still the issue persists, make sure the application has one application type not both web and SPA configured.
References:
Register single-page applications (SPA) - Microsoft Entra
SPA Authorization Code · AzureAD/microsoft-authentication-library-GitHub by Bogdan Gavril
Upvotes: 0
Related Questions
- Cross-Origin Token Redemption Error in Capacitor Native App with Azure AD
- Azure AD User access token requested by angular MSAL library and validation by WEB API using django_auth_adfs
- Microsoft Graph: Cross-origin token redemption is permitted only for the 'Single-Page Application
- AADSTS9002326: Cross-origin token redemption is permitted only for the 'SPA'
- Angular web app with MSAL gives Cross-origin token redemption error
- AADSTS9002326: Error on MSAL Auth code flow
- Authorisation using MSAL for a function in Azure Static Web App
- Resolve redirectUri error using msal javascript single page application (spa) quickstart