25,216 questions
Usually, you get the AADSTS9002327 error when trying to exchange a refresh token from server-side code. Ensure it's being done exclusively from client-side code.
AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin request
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 90%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Debebe, Solomon Aynalem
0
Reputation points
We have an Microsoft Entra ID App created, using the followings:
- Platform: Single-page application
- OIDC-based Sign-on
- Conditional Access Policies for devices and MFA
- Auth code flow paired with Proof Key for Code Exchange (PKCE) and OpenID Connect (OIDC) to get access tokens and ID tokens
Trying to generate token using our app returns the following error messages:
Authentication problem: No access token provided from login.microsoftonline.com:400 Bad Request: "{"error":"invalid_request","error_description":"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests. Trace ID: 46359ff6-d4ca-4e6f-8291-f352afa72300 Correlation ID: 450d31b1-bf1b-4686-91a5-0c0df20d9084 Timestamp: 2024-02-28 10:00:28Z","error_codes":[9002327],"timestamp":"2024-02-28 10:00:28Z","trace_id":"46359ff6-d4ca-4e6f-8291-f352afa72300","correlation_id":"450d31b1-bf1b-4686-91a5-0c0df20d9084"}"
I appreciate your support to solve this problem!
Thanks
Solomon
Microsoft Security | Microsoft Entra | Microsoft Entra ID
1 answer
Sort by: Most helpful
-
Alfredo Revilla (Personal Account) 391 Reputation points2024-02-29T04:00:25.13+00:00 -
Debebe, Solomon Aynalem 0 Reputation points
2024-02-29T07:04:59.8933333+00:00 We're not going to refresh a token, we tried getting access tokens from Microsoft Entra ID using our client application/browser.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,301 Reputation points Microsoft Employee Moderator2024-02-29T08:04:11.25+00:00 Hi Debebe, Solomon Aynalem, The Entra ID
AADSTS9002327error is being thrown due to your token requests missing the Origin header. Add it to your request or update the redirect URL type to Web or Native/Desktop in your Entra ID app registration. Hope this will help. Thanks,Shweta
-
Alfredo Revilla (Personal Account) 391 Reputation points
2024-03-01T05:01:37.0033333+00:00 Building over Shweta Mathur comment and expanding my answer, the absence of an origin header suggests that the token exchange or redemption call may be executed server-side, specifically from server code. Some client applications are also rendered by server code (e.g., React SSR, Blazor Server, ASP.NET MVC, etc.). Please provide as many details as possible about your application architecture Debebe, Solomon Aynalem.
Sign in to comment -