544 questions
Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
In our project, we currently utilize an Angular (frontend) - .NET (middle layer) - nvasion Business Dynamics API (backend) architecture. As part of an ongoing optimization effort, we are planning to eliminate the middle layer and directly invoke APIs from Angular to nvasion API. However, during this transition, I encountered an issue while attempting to make API calls directly from Angular to the nvasion API.
The specific problem arises when I attempt to access the authentication endpoint of the Business Dynamics API to obtain a token for API authentication purposes. The error message received is as follows: 'AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: '[http://localhost:3200]'. Trace ID: 62f44671-7ebe-4e00-bd29-de3db9f9c400 Correlation ID: 7c11dd26-f31e-48c0-ae40-80d8f8f26d60 Timestamp: 2024-03-05 06:29:09Z'.
Interestingly, when attempting the same request using Postman, a successful response is received. I have attached a screenshot of the successful response for reference.
Could you kindly provide an explanation of this error and suggest a solution to address it?
Windows for business | Windows 365 Business
Microsoft Security | Microsoft Graph
13,732 questions
{count} votes
-
CarlZhao-MSFT 46,376 Reputation points2024-03-06T09:45:20.8633333+00:00 -
Anonymous
2024-03-07T05:00:57.8833333+00:00 it is web app
-
Anonymous
2024-03-11T11:21:38.62+00:00 Please provide update on this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 33%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Shamilian, Natalie (US 393G) 0 Reputation points2024-07-24T18:47:14.5633333+00:00 I've been having the same issue even when configuring for spa or web app. My request also works on postman. When I request a token, it needs CORS headers, and when I add CORS headers, I get this same error: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type
Sign in to comment
Sign in to answer