MS Graph Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. while getting refresh toekn

Question

I am trying to get access token and refresh token of MS Graph API from Javascript . It works fine while getting Authcode from following API :

https://login.microsoftonline.com/{TenetID}/oauth2/v2.0/authorize But when trying to get RefreshToken and Access token from following API : https://login.microsoftonline.com/{TenetID}/oauth2/v2.0/token'

But getting following error all the time :

Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. while getting refresh toekn

I have Used SPA & Web both plateform at Azure side but no luck please suggest for correct solution

Answer 1

Double check on the Auth-flow you are using and ensure you are not mismatching the requests. This error arises if you are using a Client Credentials Flow which is intended for server side confidential client applications on your Single Page App. This is because for SPA, it is not possible to secure the client secret. Ensure you are implementing the authorization code flow which is meant for SPAs. Alternatively implement using MSAL which can handle authentication and still allow you to get refresh tokens. It would also be good to see the payload you are sending to the two endpoints to help determine where the issue is coming from.