OAuth2 CORS call to Azure Web App protected with AAD using only Javascript -


i'm trying make cors request azure web service aad protected. app making call has no backend code - html+js. use adal.js, have setup (azure web app, adal.js config) , i'm able use adal.js receive token (i can check it's valid using advanced rest client).

the problem when try make call below:

var xhr = new xmlhttprequest(); if ("withcredentials" in xhr) {     // xhr chrome/firefox/opera/safari.     xhr.open(method, url, true); } else if (typeof xdomainrequest != "undefined") {     // xdomainrequest ie.     xhr = new xdomainrequest();     xhr.open(method, url); } else {     // cors not supported.     xhr = null; } xhr.withcredentials = true; xhr.onload = function () { ... }; xhr.onerror = function (error) { ... }; xhr.send() 

i receive

xmlhttprequest cannot load  <myappurl>. redirect  <myappurl>  'https://login.windows.net/<guid>/oauth2/authorize?response_type=code+id_token&redirect_uri=<myappurl>%2f.auth%2flogin%2faad%2fcallback&client_id=<guid>&scope=openid+profile+email&response_mode=form_post&nonce=cdf7754a3d66498baad6809f3de0b0ae_20170910165538&state=redir%3d%252fapi%252fvalues'  has been blocked cors policy: no 'access-control-allow-origin' header  present on requested resource. origin 'http://localhost:59672'  therefore not allowed access. 

i can guess it's because authorization header not passed target app wants redirect me in order login. , in fact no authorization header in request...

if i'll try add such header manually adding

xhr.setrequestheader("authorization", "bearer " + token); 

i receive

xmlhttprequest cannot load  <myappurl>. response preflight invalid (redirect) 

i tried multiple tutorials (i.e. article) there backend code load nuget packages - have html + js.

dead end. ideas how make work? possible?

@juunas: had same guess - it's somethink authentication. maybe adal.js not handle properly? wrote: no authorization header in request...and afaik adal.js should handle request , add such header (via http://www.cloudidentity.com/blog/2015/02/19/introducing-adal-js-v1/) config:

window.config = {     instance: 'https://login.microsoftonline.com/',     tenant: '<mytenant>',     clientid: '<myguid>', //in old azure portal calls: client id. in new azure portal it's application id'     postlogoutredirecturi: window.location.origin,     cachelocation: 'sessionstorage', // tried localstorage     endpoints: {         // domain of api (requsets made to)         // , same client id above         "<myappurl>": "<myguid>"     } }; 

Comments