Share via

AADSTS9002327 error on SPA token redemption despite correct cross-origin request

Ahmad Ruswandi 0 Reputation points
2025-04-19T04:59:52.1733333+00:00

User attempts to sign in to a Single-Page Application using MSAL.js and Azure AD (Entra).

Application (Client) ID = d2b844d3-d8a5-4c3d-a73c-5e0ff3f32b78

User clicks sign in, gets redirected, signs in, redirects back, JavaScript attempts token exchange.

Then the user goto login page again click "Sign in with Microsoft" button, nothing happend.

I checked browser console and get error 400 when the browser attempting hit https://login.microsoftonline.com end point

The error states tokens for SPAs must be redeemed via cross-origin requests, but our application is configured as an SPA and is making what appears to be a standard cross-origin token request from the browser using MSAL.js. We have verified the Client ID and Redirect URI match exactly between the App Registration, MSAL config, and the token request.

We have verified Redirect URI matching, checked Client ID, cleared browser cache, and experimented with aligning scopes between login and token requests including 'offline_access'

======

{

"error": "invalid_request",

"error_description": "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests. Trace ID: 006bc103-37cb-4099-9592-9651884e0c00 Correlation ID: 01964c3c-ace1-72e0-95c2-dfc71cf2ab4e Timestamp: 2025-04-19 04:09:29Z",

"error_codes": [ 9002327 ],

"timestamp": "2025-04-19 04:09:29Z",

"trace_id": "006bc103-37cb-4099-9592-9651884e0c00",

"correlation_id": "01964c3c-ace1-72e0-95c2-dfc71cf2ab4e"

}

========

my msalConfig

export const msalConfig = {
    auth: {
        clientId: "d2b844d3-d8a5-4c3d-a73c-5e0ff3f32b78",
        authority: "https://login.microsoftonline.com/842e4c68-1cb1-448b-8035-aa84a75297c9", // Or common endpoint
        redirectUri: "http://localhost:5174", // Must match registered redirect URI in Azure AD
        // postLogoutRedirectUri: "http://localhost:5173/logout", // Optional
    },
    cache: {
        cacheLocation: "sessionStorage", // Or 'localStorage'
        storeAuthStateInCookie: false, // Set to true for IE11 support or certain scenarios
    },
    system: {
        loggerOptions: {
            loggerCallback: (level, message, containsPii) => {
                if (containsPii) return;
                switch (level) {
                    case LogLevel.Error: console.error(message); return;
                    case LogLevel.Info: console.info(message); return;
                    case LogLevel.Verbose: console.debug(message); return;
                    case LogLevel.Warning: console.warn(message); return;
                }
            },
            logLevel: LogLevel.Info // Adjust level for debugging
        }
    }
};

=========

https://login.microsoftonline.com/842e4c68-1cb1-448b-8035-aa84a75297c9/oauth2/v2.0/token?client-request-id=01964c4e-c741-774d-9cd0-9e85dbe3cef0

with the following form-data sent

client_id: d2b844d3-d8a5-4c3d-a73c-5e0ff3f32b78

redirect_uri: http://localhost:5174

scope: openid profile email offline_access

code: 1.ASoAaEwuhLEci0SANaqEp1KXydNEuNKl2D1MpzxeD_PzK3gpAQAqAA.AgABBAIAAABVrSpeuWamRam2jAF1XRQEAwDs_wUA9P8viAeG0NgNqt-_e9A30ClzsYViaZIBtHzI_obyaLJyt-sLxcXase1x9N1BNY49Liif4H83T9zriKhF6XuO0zGKUtwOhCpNxIfEIenb0k0pgtxRKSQxrEKzOKw-EXBUZdmz1p-9kRdIWd-BLH9m0u9pwSJ0knJ7oUPxeg48G_6PUX1jddBi4joUa0c5jCOUtaVH3DCYN2ntOLBRaVWQyUkJM2uTEAi07Yrl5gOhkRog6DAutw7SxFa_p48IecOggNT7HV8HtaeesHTE5chf526IOXOAcpIHTOanNVoZUKH23_Dj2IW_kfuKs7m8OBnOd-0CcpQS3uXkxD959O7etDwDqQis0zQTbIOTlNmSBK8lnoL5F7BkE2u1ZYbse-oaeI_wb8CWVfoWeCPNp8-ZCkMDnRQZaUZilwciOw_hhCc8XCl-moC1jCTnTxO60Ytpw2bUw-dM5jSSKb4P29CJqvjWrbpVvdyMtQKq04aHHEDDc-gnyQvIMUCmx0M7a7wAansG5ZN_AQJk-0eAmGqBsKfod7ENCkPALGwQJYKujkBnDftb3BC0dd3bo7eyKAObg-7ndoPB_CfDH9pWDNuIj5tKHdju6EDbPlSpTUxOjIy7SJLVCeCYs-M22PVdacpCdhJjkWJEXi3Et1jzGwwFY9AaBbWfuZ9tSYBO3z0sEyFvo2ApQn7s-46Xwpu2uNl-Zfg26PWvuz0d0unkIDfyZEwzR9yIBurKqUCIaqVwvAO3ThRtM8UcL-4U-PKm88fqSHTapLBWZEF7JWnNOklVuVOxZT9u29eIbyK2WPEHxmdZWOtHCS-vS1MIQ897vbKl0QgtbEFg8IBbJPZnHRE

x-client-SKU: msal.js.browser

x-client-VER: 4.11.0

x-ms-lib-capability: retry-after, h429

x-client-current-telemetry: 5|865,0,,,|,

x-client-last-telemetry: 5|0|865,01964c39-7802-7885-bea4-6be80bedab6a|invalid_request|1,0

code_verifier: 2lpCFzLu6kuHC_B309yCAt6h9sQ9tb9EOgJLI3MJagw

grant_type: authorization_code

client_info: 1

X-AnchorMailbox: Oid:d39ee765-0c90-4bad-8eb0-5deb0e9cf0a8@842e4c68-1cb1-448b-8035-aa84a75297c9

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2025-04-21T11:52:20.68+00:00

    @Ahmad Ruswandi
    The error code AADSTS9002327 generally occurs when the request is missing an Origin header. The Microsoft identity platform will return this error if a Single Page Application (SPA) redirect URI is used without including an Origin header in the request, try including the Origin header to be processed correctly which has shown below.

    enter image description here

    Make sure the origin you are passing, and the redirect URL configured in the application matches.
    verify, that you have added redirect URI that supports auth code flow with PKCE and cross-origin resource sharing (CORS). Redirect URI: MSAL.js 2.0 with auth code flow.

    Please refer the document about Redirect URIs for single-page apps (SPAs).

    Hope this helps. Do let us know if you have any further queries by responding in the comments section.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.