Share via

Getting CORS error when bachend application send refresh token request to Azure

Shilpi Snehi 1 Reputation point
2022-06-20T20:41:51.11+00:00

Dear Team,

We have recently setup Azure App proxy for our Siebel backend application. We are receiving below CORS error when my application send preflight request to Azure to refresh MS access token when it's about to expire.

Access to XMLHttpRequest at 'https://login.microsoftonline.com/a1f1e214-7ded-45b6-81a1-9e8ae3459641/oauth2/authorize?response_type=code&client_id=1291312c-54b4-4d73-a8e5-a63b483fa4fa&scope=openid&nonce=de9bbfb7-8a4c-47af-80b5-960fa3a42937&redirect_uri=https%3a%2f%2fnxgensiebeluat.johnsoncontrols.com%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3anull%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2fnxgensiebeluat.johnsoncontrols.com%5c%2fsiebel%5c%2fapp%5c%2fopenservice%5c%2fenu%22%2c%22RequestProfileId%22%3a%222aa3a7bd-febb-4eac-8600-fc0b2088af97%22%2c%22SessionId%22%3a%22fc36d307-7e68-4b7b-95bc-84acd032723d%22%7d%23EndOfStateParam%23&client-request-id=fc36d307-7e68-4b7b-95bc-84acd032723d' (redirected from 'https://nxgensiebeluat.johnsoncontrols.com/siebel/app/openservice/enu') from origin 'https://nxgensiebeluat.johnsoncontrols.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Came across this MS document:
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-understand-cors-issues#option-3-update-http-headers

where Option5 is working for us, have extended access token lifetime to 8 hours in Prod. But our internal Identity team says, this is not a recommendable solution as there is risk involved in letting access token be setup for 8 hours.

Wish to know what risk is involved in keeping access token lifetime for 8 hours?
What is alternate solution to this CORS issue?

Thanks,
Shilpi

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-06-20T21:48:58.437+00:00

    Hello @Shilpi Snehi , Option 5: Extend the lifetime of the access token is the recommended option if the access token expires during the user Azure AD session. To extend it too much increases its usability in case it gets stolen. To avoid lengthy access token lifetimes, you might reduce the sign-in frequency using Conditional Access.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.