-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Description
Please follow the issue template below. Failure to do so will result in a delay in answering your question.
Library
-
[email protected]
or@azure/[email protected]
-
@azure/[email protected]
-
@azure/[email protected]
-
@azure/[email protected]
-
@azure/[email protected]
Important: Please fill in your exact version number above, e.g. [email protected]
.
Framework
React
Description
I see some errors in our logs where users are getting "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests."
Sample correlation id: 6db502bf-7351-45b9-b6e8-0d868a5e52c6
Timestamp: 2020-10-22 23:45:45Z
Our app is a first party application, and I've set up safe rollout to make the reply urls be type: "SPA". Then I made sure to pass the safe rollout query params in all requests made by msal. Somehow there's still this error, I'm not sure what it means by "may only be redemeed via cross-origin requests"? I thought it is cross origin? (Our origin is ml.azure.com)
Error Message
AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.
Security
- Is this issue security related?
Regression
- Did this behavior work before?
Version:
MSAL Configuration
const publicClientApp = new PublicClientApplication({
auth: {
clientId: this.clientId,
authority: this.authority,
redirectUri: this.loginRedirectUri,
postLogoutRedirectUri: this.postLogoutRedirectUri
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: isIEOrOldEdge // https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1188#issuecomment-634281307
},
system: {
tokenRenewalOffsetSeconds: 60,
iframeHashTimeout: 30000, // iframe is used to refresh the refresh_token as it has a 24h lifetime
loggerOptions: {
loggerCallback: MsalAuthContext.msalLoggerCallback,
piiLoggingEnabled: false,
logLevel: LogLevel.Verbose
}
}
});
const handleRedirectPromise = publicClientApp
.handleRedirectPromise()
.then(response => {
this.account = response ? response.account : this.getAccount();
if (!this.account) {
CoreLogger.trackEvent(TelemetryEventName.Core_MSALAuthContext_login);
this.publicClientApp.loginRedirect({
scopes: this.scopes,
authority: this.authority,
extraQueryParameters: this.safeRolloutQueryParams
});
}
})
.catch(error => {
if (error) {
this.trackError(error);
}
});
Reproduction steps
Not sure how to repro
Expected behavior
No errors
Browsers/Environment
- Chrome
- Firefox
- Edge
- Safari
- IE
- Other (Please add browser name here)