9,737 questions
CORS Error When Calling https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token in React.js Outlook Add-In
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 86%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Suraj Sinha
10
Reputation points
I'm developing a React.js-based Outlook add-in and facing a CORS issue while calling the API https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token.
Payload as follows:
{ "client_id": clientId, "client_secret": clientSecret, "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "requested_token_use": "on_behalf_of", "scope": scopes, "assertion": Token A }
I can successfully call the API using Postman with the same request parameters, and it returns the expected response.
When making the same API call from the add-in (running locally), I am getting CORS error in the browser console:
What we tried:
- Verified the request headers and body match the working Postman configuration.
- Checked Azure AD app registration for proper redirect URIs and CORS settings, but the issue persists.
Queries:
- Why does the
https://login.microsoftonline.comendpoint block CORS when accessed from a browser environment in the Outlook add-in? - Is there a recommended way to make such API calls in an Outlook add-in without running into CORS issues?
- Should this flow use a proxy server or some other mechanism to bypass the CORS restriction?
Outlook | Windows | Classic Outlook for Windows | For business
Microsoft Security | Microsoft Graph
13,724 questions
Sign in to answer