AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin request

Question

We use Puppeteer with CDP and chromium for synthetic testing SSO SPA aplication behind PKCE with Kerberos.

Unfortunalely we get
{"error":"invalid_request","error_description":"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests. Trace ID: xxx-9dd0-4b33-ab9f-adc224cf2400 Correlation ID: xxxx-e98e-4952-a14d-878f92d1b473 Timestamp: 2025-04-18 19:14:17Z","error_codes":[9002327],"timestamp":"2025-04-18 19:14:17Z","trace_id":"xxx-9dd0-4b33-ab9f-adc224cf2400","correlation_id":"xxx-e98e-4952-a14d-878f92d1b473"}

Is there a way how to enable SPA application to allow this? Would just adding the Origin header help? Or are there more checks for browser (like preflight options checkes, Sec-Fetch-* etc.)?

It is chrome 119 in headless mode. I understand Entra is trying to block off bots and scripts, but how to circumvent it?

Answer 1

Hi @David Macháček
Microsoft identity platform returns an error if you attempt to use a spa redirect URI without an Origin header. The error AADSTS9002327 usually occurs when you are not passing the Origin as a header the token request must include the Origin header to be processed correctly.

Also, check that you have added redirect URI that supports auth code flow with PKCE and cross-origin resource sharing (CORS).

Please read the relevant document to know about Redirect URIs for single-page apps (SPAs).

Hope this helps. Do let us know if you have any further queries by responding in the comments section.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.