Reputation: 29
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'capacitor://localhost'
I have an Ionic app that needs to authenticate in Azure and i follow this stackoverflow: Ionic and MSAL Authentication
All did go fine except for iOS where im getting
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'capacitor://localhost'
I did try register this url on mobile and computer urls as SPA needs to have http or https so this is not valid...
Anyone knows how to fix this issue?
Thank you
Upvotes: 0
Views: 3956
Answers (2)
Reputation: 301
There are two checks you need to do before putting in your redirect_URI :-
There are restrictions when it comes to adding URIs in the app registration , check here
Please check if the redirect uri that ure adding is not duplicated in any sections , for example if the redirect_uri is 'http://localhost:3000' and the platform types added are single page applications as well as web redirect urls or mobile and desktop applications and any two of them have the same URI or something similar to 'http://localhost' as the port no. doesnt matter here , the client from which ure trying to access this app registration will always pick from the top and so you will get the error "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type" (majorly when you are using SPA React or next apps) because it will think of it as a web redirect URI and not SPA
Upvotes: 1
Reputation: 15554
The error "Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type" usually occurs if the Microsoft Entra ID application is not configured as SPA and you are making use of SPA authentication.
In your case, as your redirecting URL is capacitor://localhost, you cannot configure it as SPA as SPA supports only http or https. Refer this MsDoc.
Hence to resolve the error, either you have to configure the application as Mobile and desktop application and use your custom capacitor://localhost redirect URL:
For sample:
let config = MSALPublicClientApplicationConfig(clientId: "your-client-id",
redirectUri: "your-customredirect-uri",
authority: authority)
do {
let application = try MSALPublicClientApplication(configuration: config)
} catch let error as NSError {
}
Otherwise, if you want to make use of SPA authentication, then you need to make use of some other redirect URL https or http and configure the application as Single-page application:
browser.on('loadstart').subscribe(event => {
if (event.url.includes('code')) {
browser.close();
const domain = event.url.split('#')[0];
const url = event.url.replace(domain, 'http://***');
console.log('will redirect to:', url);
window.location.href = url;
}
});
- By default, you cannot add custom redirect URL to the SPA platform.
Reference:
Use redirect URIs with MSAL (iOS/macOS) - Microsoft identity platform | Microsoft
Upvotes: 1
Related Questions
- Cross-Origin Token Redemption Error in Capacitor Native App with Azure AD
- Error AADSTS9002326: Cross-origin token redemption issue when sending data from Angular
- Angular web app with MSAL gives Cross-origin token redemption error
- Azure AD Application can have SPA or Web App or we can have both?
- Azure AD B2C Authentication with Azure AD Multi-tenant
- Completed 401 unauthorized The request was redirected to which is disallowed for cross-origin requests that require preflight