BrowserAuthError: post_request_failed: Network request failed: If the browser threw a CORS error, check that the redirectUri is registered in the Azure App Portal as type 'SPA'.

Question

BrowserAuthError: post_request_failed: Network request failed: If the browser threw a CORS error, check that the redirectUri is registered in the Azure App Portal as type 'SPA'.

Mridul Paliwal 0

I keep getting this error when trying to sign-in using AD-B2c. i have the redirects configured as SPA and everything works fine in windows but in Safari on Mac and all browsers in iOS i am prompted for a login twice and the first one has this error.

Already checked to make sure the cookies are secure and am using storeAuthStateInCookie = true. The msal version in use are

    "@azure/msal-browser": "^3.1.0",
    "@azure/msal-react": "^2.0.3",

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-09T22:45:32.41+00:00

Hi @Mridul Paliwal
I understand that you are trying to sign-in using AD-B2C in Safari on Mac and all browsers in iOS, but you are prompted for a login twice and with an error.

"BrowserAuthError: post_request_failed: Network request failed: If the browser threw a CORS error, check that the redirectUri is registered in the Azure App Portal as type 'SPA'".

In the Application manifest try to convert the accept token version into V2.0 and test the scenario.

Please refer the source document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/migrate-spa-implicit-to-auth-code

Hope this helps. Do let us know if you have any further queries.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-10T18:52:59.43+00:00

Hi @Mridul Paliwal
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Mridul Paliwal 0 Reputation points

2025-04-11T13:55:01.3733333+00:00

Hi,

we are already using login redirect and are using msal2.0 and all the urls for the app are SPA. That should cover for CORS configuration I believe. The only issue is safari rather Apple devices and chrome is working fine in windows. Safari, edge and chrome on iPhone however all need double login. So this issue is specifically to get help around that.
Mridul Paliwal 0 Reputation points

2025-04-11T13:56:10.0666667+00:00

Is there a specific msal version/configuration with sample app that I can use to verify it working?
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-11T22:15:32.58+00:00

Hi @Mridul Paliwal
It seems the only issue is safari rather Apple devices and chrome is working fine in windows. Safari, edge and chrome on iPhone however all need double login.

Apple Safari has an on-by-default privacy protection feature called Intelligent Tracking Protection, or ITP. Chrome has a browser privacy initiative named the Privacy Sandbox. These initiatives encompass many different browser privacy efforts by the browsers and have different timelines. Both efforts block "third-party" cookies on requests that cross domains, with Safari and Brave block third-party cookies by default. Chrome recently announced that they'll start blocking third-party cookies by default. Privacy Sandbox includes changes to partitioned storage as well as third-party cookie blocking.

A common form of user tracking is done by loading an iframe to third-party site in the background and using cookies to correlate the user across the Internet. Unfortunately, this pattern is also the standard way of implementing the implicit flow in single-page apps (SPAs). A browser that blocks third-party cookies to protect user privacy can also block the functionality of a SPA. Use of the implicit flow in SPAs is no longer recommended due to the blocking of third-party cookies and the security risks associated with it.

The solution for this problem is to continue authenticating users in SPAs, app developers must use the authorization code flow. In the auth code flow, the identity provider issues a code, and the SPA redeems the code for an access token and a refresh token.

For reference: https://learn.microsoft.com/en-us/entra/identity-platform/reference-third-party-cookies-spas#what-is-intelligent-tracking-protection-itp-and-privacy-sandbox

Hope this helps. Do let us know if you have any further queries.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-14T18:52:52.5266667+00:00

Hi @Mridul Paliwal
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Mridul Paliwal 0 Reputation points

2025-04-14T20:56:03.5066667+00:00

It was definitely very helpful. but how is msal library looking to address these security enhancements ? is there a version where this would work?
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-15T00:03:27.27+00:00

Hi @Mridul Paliwal
Microsoft Authentication Library (MSAL) for JavaScript v2.0 and higher, implements the authorization code flow for SPAs and, with minor updates, is a drop-in replacement for MSAL.js 1.x. See the migration guide for moving a SPA from implicit to auth code flow.

Hope this helps. Do let us know if you have any further queries.
Mridul Paliwal 0 Reputation points

2025-04-15T19:41:29.6633333+00:00
Hi @Anonymous ,Sincerely appreciate the follow up.

We already using auth code flow with login redirect. the redirects are correctly configured as SPA. it's all working good with chrome and edge in windows. Safari is the only problem.

these are the msal versions we are using.

"@azure/msal-browser": "^3.1.0", "@azure/msal-react": "^2.0.3",

1 answer

Your answer

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-09T22:45:32.41+00:00

Hi @Mridul Paliwal
I understand that you are trying to sign-in using AD-B2C in Safari on Mac and all browsers in iOS, but you are prompted for a login twice and with an error.

"BrowserAuthError: post_request_failed: Network request failed: If the browser threw a CORS error, check that the redirectUri is registered in the Azure App Portal as type 'SPA'".

In the Application manifest try to convert the accept token version into V2.0 and test the scenario.

Please refer the source document for more information: https://learn.microsoft.com/en-us/entra/identity-platform/migrate-spa-implicit-to-auth-code

Hope this helps. Do let us know if you have any further queries.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-10T18:52:59.43+00:00

Hi @Mridul Paliwal
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Mridul Paliwal 0 Reputation points

2025-04-11T13:55:01.3733333+00:00

Hi,

we are already using login redirect and are using msal2.0 and all the urls for the app are SPA. That should cover for CORS configuration I believe. The only issue is safari rather Apple devices and chrome is working fine in windows. Safari, edge and chrome on iPhone however all need double login. So this issue is specifically to get help around that.
Mridul Paliwal 0 Reputation points

2025-04-11T13:56:10.0666667+00:00

Is there a specific msal version/configuration with sample app that I can use to verify it working?
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-11T22:15:32.58+00:00

Hi @Mridul Paliwal
It seems the only issue is safari rather Apple devices and chrome is working fine in windows. Safari, edge and chrome on iPhone however all need double login.

Apple Safari has an on-by-default privacy protection feature called Intelligent Tracking Protection, or ITP. Chrome has a browser privacy initiative named the Privacy Sandbox. These initiatives encompass many different browser privacy efforts by the browsers and have different timelines. Both efforts block "third-party" cookies on requests that cross domains, with Safari and Brave block third-party cookies by default. Chrome recently announced that they'll start blocking third-party cookies by default. Privacy Sandbox includes changes to partitioned storage as well as third-party cookie blocking.

A common form of user tracking is done by loading an iframe to third-party site in the background and using cookies to correlate the user across the Internet. Unfortunately, this pattern is also the standard way of implementing the implicit flow in single-page apps (SPAs). A browser that blocks third-party cookies to protect user privacy can also block the functionality of a SPA. Use of the implicit flow in SPAs is no longer recommended due to the blocking of third-party cookies and the security risks associated with it.

The solution for this problem is to continue authenticating users in SPAs, app developers must use the authorization code flow. In the auth code flow, the identity provider issues a code, and the SPA redeems the code for an access token and a refresh token.

For reference: https://learn.microsoft.com/en-us/entra/identity-platform/reference-third-party-cookies-spas#what-is-intelligent-tracking-protection-itp-and-privacy-sandbox

Hope this helps. Do let us know if you have any further queries.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-14T18:52:52.5266667+00:00

Hi @Mridul Paliwal
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Mridul Paliwal 0 Reputation points

2025-04-14T20:56:03.5066667+00:00

It was definitely very helpful. but how is msal library looking to address these security enhancements ? is there a version where this would work?
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-15T00:03:27.27+00:00

Hi @Mridul Paliwal
Microsoft Authentication Library (MSAL) for JavaScript v2.0 and higher, implements the authorization code flow for SPAs and, with minor updates, is a drop-in replacement for MSAL.js 1.x. See the migration guide for moving a SPA from implicit to auth code flow.

Hope this helps. Do let us know if you have any further queries.
Mridul Paliwal 0 Reputation points

2025-04-15T19:41:29.6633333+00:00

Hi @Anonymous ,Sincerely appreciate the follow up.

We already using auth code flow with login redirect. the redirects are correctly configured as SPA. it's all working good with chrome and edge in windows. Safari is the only problem.

these are the msal versions we are using.

"@azure/msal-browser": "^3.1.0", "@azure/msal-react": "^2.0.3",

Answer 1

Bandela Siri Chandana 3,055 Microsoft External Staff Moderator

Hi @Mridul Paliwal
A common form of user tracking is done by loading an iframe to third-party site in the background and using cookies to correlate the user across the Internet. Unfortunately, this pattern is also the standard way of implementing the implicit flow in single-page apps (SPAs). A browser that blocks third-party cookies to protect user privacy can also block the functionality of a SPA. Use of the implicit flow in SPAs is no longer recommended due to the blocking of third-party cookies and the security risks associated with it.

The solution outlined in this article works in all of these browsers, or anywhere third-party cookies are blocked.
For reference: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-implicit-grant-flow

Hope this helps. Do let us know if you have any further queries.

Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-16T19:39:02.6533333+00:00

Hi @Mridul Paliwal
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator

2025-04-17T20:04:54+00:00

Hi @Mridul Paliwal
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Share via

BrowserAuthError: post_request_failed: Network request failed: If the browser threw a CORS error, check that the redirectUri is registered in the Azure App Portal as type 'SPA'.

1 answer

Your answer