question

ChandanTiwari-2643 avatar image
0 Votes"
ChandanTiwari-2643 asked ChandanTiwari-2643 answered

SSO login failing for app service with error: Sign In error: ServerError: invalid_request:

Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
Trace ID: cdf5e372-a1d3-4ef1-b30d-98793dcf1700
Correlation ID: 9d50514a-d55f-48d8-aaf9-0c7b5d3aca52
Timestamp: 2021-10-06 11:26:14Z - Correlation ID: 9d50514a-d55f-48d8-aaf9-0c7b5d3aca52 - Trace ID: cdf5e372-a1d3-4ef1-b30d-98793dcf1700

azure-ad-app-registrationazure-ad-saml-ssoazure-ad-app-development
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChandanTiwari-2643
,Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·

I have changed the redirect url to SPA but still getting the same error. I am using msal config as auth privider . should that be a problem?

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @ChandanTiwari-2643,

Thanks for reaching out.

Looking at above correlation ID, it seems that application (client_id) which is involved in this flow was registered in Azure AD as Web app platform type but whereas token requested from a JavaScript single-page application (SPA) using auth code flow.

Therefore, to fix the issue, the application must be configured as Single-Page application instead web app platform in Azure AD app registration by including unique reply URL as shown below (or) make sure the token request not include an Origin header, if being sent from a non-browser client.


To update an existing redirect URI to enable CORS, open the manifest editor and set the type field for your redirect URI to spa in the replyUrlsWithType section

138219-image.png

Once updated then you would see Single-page application added as authentication platform:

138207-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (60.7 KiB)
image.png (68.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChandanTiwari-2643 avatar image
0 Votes"
ChandanTiwari-2643 answered

@sikumars-msft I tried changing the redirect url to SPA but still getting the same error. It asking to login twice and then failing with the same error.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.