TechQA.

AADSTS9002327 error in Refresh Token Flow in Azure AD

374 views Asked by At

I am getting below error when I attempt a Refresh Token Flow in Azure AD.

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests

My problem is identical to what is shared below:

https://learn.microsoft.com/en-us/answers/questions/1312290/tokens-for-spa

My HTTP post contains the grant_type and refresh_token. I tried to include "origin", "redirection_uri" , "scope" etc but I still get the same error.

Is this problem with my HTTP Post message, with Azure AD app registration, or Azure AD itself?

azure-active-directory refresh-token oauth-refresh-token
Original Q&A
1

There are 1 answers

1
Rukmini On BEST ANSWER

I created an Azure AD SPA application:

enter image description here

Granted API permissions:

enter image description here

To authorize users, I used below endpoint:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://ClientID/spaapp.access openid offline_access
&state=12345
&code_challenge=CodeChallenge
&code_challenge_method=S256

enter image description here

Generated access token by using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:api://ClientId/spaapp.access openid offline_access openid offline_access
code:code
redirect_uri:https://jwt.ms
code_verifier:S256

And passed Origin as header:

Origin:https://jwt.ms

enter image description here

enter image description here

The error "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests" usually occurs if you are not passing origin as header or passing invalid parameters to refresh the access token.

To refresh the access token, make use of below parameters:

POST https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:refresh_token
redirect_uri:https://jwt.ms
refresh_token:RefreshToken

Make sure to pass Origin as header:

Origin:RedirectURL

enter image description here

I am able to successfully refresh the access token:

enter image description here

The scope parameter is optional. If you are not passing the scope, the original scopes will be used. Or you can request a set of scopes.

If still the issue persists, check the below:

  • Make sure the Azure AD application is configured as SPA.
  • Make sure the origin you are passing, and the redirect URL configured in the application matches.
  • Ensure CORS is properly configured and the server is allowing requests from SPA.

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in REFRESH-TOKEN

Related Questions in OAUTH-REFRESH-TOKEN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions