Azure App Registration causing the following error: cross-origin token redemption is permitted only for the 'Single-Page Application' client type.

Question

Hello!
I am currently setting up azure to work with Alteryx, so i can connect straight to OneDrive via their tools. This is done through the following documentation (https://community.alteryx.com/t5/Alteryx-Designer-Knowledge-Base/Tool-Mastery-One-Drive/ta-p/299125)
Through following this exactly I received the following error:

I struggled to find anything about this online, apart from this:
https://msft.it/6011VKSyT
Which i followed to turn it into a Single Page Application, but received the following:

The only other thing i found was: msft.it/6013VKSyV
To which I received the following error:

As the Alteryx Documentation asks for the replyURL type to be web, i suspect this isn't the issue. Any help on this one would be massively appreciated!

Thanks,
Owen

Answer 1

There are two cases for token redemption (using authorization_code mode): from Web Application and from Single-Page Application (PKCE).

When using a SPA, Azure Identiy requires that the token redemption comes from a browser (not a web server). The request for the code exchange must contain the 'Origin' header. If not, you get the error: "Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests"

I have a small NodeJS app that I use to test all oAuth authorization modes, and I got the error reported in this thread because I use the same redeem function for WebApp and SPA.

I removed the 'Origin' header, and the error is gone.

If you have a Web Application, be sure that there is no 'Origin" header sent to the server when exchanging a code for a token.

Not sure if it's a bug or feature tho!

Answer 2

I have the same error:
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.\r\nTrace ID: 7fa66d7b-1aa9-434d-a5eb-208b6f71a400\r\nCorrelation ID: a9eeac52-10f0-484b-a8dc-2ede67198945\r\nTimestamp: 2021-04-27 09:24:29Z

My case: I am creating outlook adding with on_behalf_of authorization. When I try exchange outlook token to get token for MS Graph I have error. App is configured As SPA and Web.

Any idea about solution?

Answer 3

In my testing, this was definitely related to an Origin header.

I was using fetch from Javascript and it was adding "Origin": "null" which the Microsoft endpoint didn't like.

I switched to using XHR and there was no Origin header, it worked.

I think this is a Microsoft bug. It should ignore Origin null header.

Answer 4

Hi @Owen Coyle , As per this doc Tool Mastery | One Drive - Alteryx Community this app "Alteryx" needs to configured as a web app. That's what I can understand at least from the screenshots in that doc. Updating it to SPA doesn't make sense. The SO article I shared also speaks the same thing that it needs a web app and not SPA as the app platform. Please use Web as the app platform type and you still get the AADSTS9002326 error, then this case would need troubleshooting and will have to look deeper based on the correlationID and timestamp.

If the Reply URL mistmatch is the error, then you can follow the steps mentioned here: https://learn.microsoft.com/en-us/answers/questions/270056/aadsts50011-the-reply-url-specified-in-the-request-17.html

Please let me know if this helps! If so, please mark this answer as "Verified" so other users may reference it.

Thank you,
James

Answer 5

Hey @James Hamil I'm facing a similar issue, and I have configured the application via Azure as Web for the app platform type and still getting the AADSTS9002326 error

Would it be helpful if I could share the Correlation ID and timestamp for troubleshooting. Any leads on the solution is highly appreciated. Thank you

Please help !