Website deployed on azure app service failing with CORS error on redirecting to location from 302 response

Madhusudan Vishnupurikar 21 Reputation points
2023-01-10T08:56:07.067+00:00

My website has EasyAuth enabled and application doesn't have any custom code (MSAL, ADAL) for authentication. Application works fine when user is logged in. When the session is expired and user tries any action from application tab, app service responds with 302 redirect response with location header with below value-->

https://login.windows.net/{tenantId}/oauth2/authorize?response_type=code+id_token&redirect_uri={domain}/.auth/login/aad/callback&client_id={clientId}&scope=openid+profile+email&response_mode=form_post&resource={clientId}&nonce=151c034c0ed04baca31367bee4a5cd59_20230110065358&state=redir=%2Fsearch

Browser tries to follow location and results in CORS error as:

277796-image.png

Web app has CORS enabled. Is there a way to fix this? Currently on full page refresh application works fine but I wanted to keep application with same state and get fresh token on the fly without full page refresh.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,976 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Grmacjon-MSFT 19,301 Reputation points Moderator
    2023-01-11T01:33:54.163+00:00

    Hi @Madhusudan Vishnupurikar ,

    Sorry to hear you are facing this issue. A few things to consider:

    • Do you have any redirect rules configured for your app?

    Based in this error message you're getting "AADSTS90102: 'redirect_uri' value must be a valid absolute URI." you may need to configure the Azure App Service to allow CORS for the domain that is serving that web page. you can do this by adding the domain to the list of allowed origins in the CORS settings for the Azure App Service.

    NOTE: Don't try to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect.

    "When your provider's access token (not the session token) expires, you need to reauthenticate the user before you use that token again. You can avoid token expiration by making a GET call to the /.auth/refresh endpoint of your application. When called, App Service automatically refreshes the access tokens in the token store for the authenticated user. Subsequent requests for tokens by your app code get the refreshed tokens. However, for token refresh to work, the token store must contain refresh tokens for your provider.

    The way to get refresh tokens for your provider (Microsoft) is to:

    • In https://resources.azure.com, do the following steps:
    • At the top of the page, select Read/Write.
    • In the left browser, navigate to subscriptions > <subscription_name> > resourceGroups > <resource_group_name> > providers > Microsoft.Web > sites > <app_name> > config > authsettingsV2.
    • Click Edit. Modify the following property. "identityProviders": { "azureActiveDirectory": { "login": { "loginParameters": ["scope=openid profile email offline_access"] } } }
    • Click Put.

    Please read this Azure tutorial for more information: https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens#extend-session-token-expiration-grace-period

    Hope that helps. Please let us know if you have further questions

    Thanks, Grace


    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.