Skip to content

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests. #2482

@thoo1

Description

@thoo1

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

Important: Please fill in your exact version number above, e.g. [email protected].

Framework

React

Description

I see some errors in our logs where users are getting "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests."

Sample correlation id: 6db502bf-7351-45b9-b6e8-0d868a5e52c6
Timestamp: 2020-10-22 23:45:45Z

Our app is a first party application, and I've set up safe rollout to make the reply urls be type: "SPA". Then I made sure to pass the safe rollout query params in all requests made by msal. Somehow there's still this error, I'm not sure what it means by "may only be redemeed via cross-origin requests"? I thought it is cross origin? (Our origin is ml.azure.com)

Error Message

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

Security

  • Is this issue security related?

Regression

  • Did this behavior work before?
    Version:

MSAL Configuration

    const publicClientApp = new PublicClientApplication({
      auth: {
        clientId: this.clientId,
        authority: this.authority,
        redirectUri: this.loginRedirectUri,
        postLogoutRedirectUri: this.postLogoutRedirectUri
      },
      cache: {
        cacheLocation: "localStorage",
        storeAuthStateInCookie: isIEOrOldEdge // https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1188#issuecomment-634281307
      },
      system: {
        tokenRenewalOffsetSeconds: 60,
        iframeHashTimeout: 30000, // iframe is used to refresh the refresh_token as it has a 24h lifetime
        loggerOptions: {
          loggerCallback: MsalAuthContext.msalLoggerCallback,
          piiLoggingEnabled: false,
          logLevel: LogLevel.Verbose
        }
      }
    });
    const handleRedirectPromise = publicClientApp
      .handleRedirectPromise()
      .then(response => {
        this.account = response ? response.account : this.getAccount();
        if (!this.account) {
          CoreLogger.trackEvent(TelemetryEventName.Core_MSALAuthContext_login);
          this.publicClientApp.loginRedirect({
            scopes: this.scopes,
            authority: this.authority,
            extraQueryParameters: this.safeRolloutQueryParams
          });
        }
      })
      .catch(error => {
        if (error) {
          this.trackError(error);
        }
      });

Reproduction steps

Not sure how to repro

Expected behavior

No errors

Browsers/Environment

  • Chrome
  • Firefox
  • Edge
  • Safari
  • IE
  • Other (Please add browser name here)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugA problem that needs to be fixed for the feature to function as intended.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions