Cross-origin token redemption is permitted only for the 'Single-Page Application' In angular . While genrating token for using graph api in my single page application

Akash Gupta 11 Reputation points
2021-09-02T12:00:49.067+00:00

128666-error.png 

getToken(){  
    var httpHeader = new HttpHeaders({  
      "Content-Type": "application/x-www-form-urlencoded",  
      // "Access-Control-Allow-Origin": "*",  
    })  
    //   
    const body = new URLSearchParams();  
    body.set('grant_type','client_credentials' )  
    body.set('client_id', environment.Ad_directory.clientId)  
    body.set('client_secret', environment.Ad_directory.clientSecret)  
    body.set('resource', environment.Ad_directory.resource);  
         const headers = new HttpHeaders({ 'Content-Type': 'application/x-www-form-urlencoded' });  
   
       console.log(body.toString())  
      return  this.http.post("https://login.microsoftonline.com/"+environment.Ad_directory.tenantId +"/oauth2/token",body.toString(), { headers, observe: 'response' })  
  
  }  
  
}
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,592 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danstan Onyango 3,741 Reputation points Microsoft Employee
    2021-09-03T07:24:06.207+00:00

    The error you get is because the request has an Origin header suggesting a Public client while AAD expects something else. This is because you are using the Client Credentials Flow which is meant for serve side confidential client applications on a Single Page Application which is a public client.

    You should not be using client credentials flow on SPA because there is no way to secure the client secret. In your case you should be using authorization code flow which is meant for SPAs. If you have to use Client Credential flow, you should move the communication with Graph to serve side.

    3 people found this answer helpful.