Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] Uno - Exchange authorization code for bearer token blocked by CORS in browser
See original GitHub issueWhich Version of MSAL are you using ? 4.14
Platform WebAssembly
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- [ X ] Authorization code
- OBO
- Web API
- OBO
Other? - please describe;
Is this a new or existing app? This is a new app or experiment
Expected behavior Successfully exchange authorization code for bearer token
Actual behavior Exchange blocked by CORS
Additional context/ Logs / Screenshots
I’m using the Uno platform to write an Azure B2C authenticated multi-platform app using auth code flow via PublicClientApplication. While most of the heads (i.e. Android, UWP, etc) work fine using this approach, I’m hitting an issue with the web assembly (WASM) head.
In the WASM project I’m able to show the sign-in page and successfully sign-in, but then hit a CORS error (“Access to fetch at ‘https://{TENANT}.b2clogin.com/tfp/{TENANT}.onmicrosoft.com/b2c_1_signupandsignin/oauth2/v2.0/token’ from origin ‘http://localhost:5000’ has been blocked by CORS policy”) when the PublicClientApplication endeavours to swap the authorization code for an access token.
Now given the WASM head is effectively a Single-Page Application, I tried following the instructions for Migrat[ing] a JavaScript single-page app from implicit grant to auth code flow. I added a new Application to my Azure B2C tenant and configured the “Single-page application” platform such that I now see the “Your Redirect URI is eligible for the Authorization Code Flow with PKCE.” notice in the “Grant types” section. It is my understanding that this configuration enables CORS but, even after these changes, I still hit exactly the same CORS issue within my application.
Capturing the session during login reveals that, as per the CORS protocol, the browser is making an OPTIONS request to the token endpoint which is responding with a 404 thereby preventing the POST to the token endpoint for authorization code exchange.
Here’s the session (with the Azure B2C Tenant replaced with ‘{TENANT}’, tokens replaced with ‘{TOKEN}’ and state replaced with ‘{STATE}’):
| Method | Url | Result |
|---|---|---|
| GET | https://{TENANT}.b2clogin.com/tfp/{TENANT}.onmicrosoft.com/b2c_1_signupandsignin/oauth2/v2.0/authorize?scope=https%3A%2F%2F{TENANT}.onmicrosoft.com%2Fbackends%2Fread.only+offline_access+openid+profile&response_type=code&client_id=32bfdaf8-cc9f-4011-942d-851911aef544&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fauthentication%2Flogin-callback.htm&client-request-id=293915f0-a719-46a8-8003-bba230c4a49c&x-client-SKU=MSAL.UnoWasm&x-client-Ver=4.4.0.0&x-client-OS=web&prompt=select_account&code_challenge=mTjqNj7n3fMaon2_7HrIzpfGhwLPIwqrpMRCBt47-I4&code_challenge_method=S256&state={STATE} | 200 OK |
| POST | https://{TENANT}.b2clogin.com/{TENANT}.onmicrosoft.com/B2C_1_signupandsignin/SelfAsserted?tx=StateProperties={STATE}&p=B2C_1_signupandsignin | 200 OK |
| GET | https://{TENANT}.b2clogin.com/{TENANT}.onmicrosoft.com/B2C_1_signupandsignin/api/CombinedSigninAndSignup/confirmed?csrf_token={TOKEN}&tx=StateProperties={STATE}&p=B2C_1_signupandsignin&diags=%7B%22pageViewId%22%3A%228a316cef-e06e-42c2-97a8-9dc9cfcd5d5a%22%2C%22pageId%22%3A%22CombinedSigninAndSignup%22%2C%22trace%22%3A%5B%7B%22ac%22%3A%22T005%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T021%20-%20URL%3Ahttps%3A%2F%2F{TENANT}.b2clogin.com%2Fstatic%2Ftenant%2Ftemplates%2FAzureBlue%2Funified.cshtml%3Fslice%3D001-000%26dc%3DDB3%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A55%7D%2C%7B%22ac%22%3A%22T029%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A13%7D%2C%7B%22ac%22%3A%22T004%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A3%7D%2C%7B%22ac%22%3A%22T019%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A25%7D%2C%7B%22ac%22%3A%22T003%22%2C%22acST%22%3A1591363250%2C%22acD%22%3A52%7D%2C%7B%22ac%22%3A%22T002%22%2C%22acST%22%3A0%2C%22acD%22%3A0%7D%5D%7D | 302 Found |
| GET | http://localhost:5000/authentication/login-callback.htm?state={STATE}&code={TOKEN} | 200 OK |
| OPTIONS | https://{TENANT}.b2clogin.com/tfp/{TENANT}.onmicrosoft.com/b2c_1_signupandsignin/oauth2/v2.0/token | 404 Not Found |
I believe this is likely to be an issue with the Azure B2C service (and I will report an issue to them as soon as I can find an appropriate forum) but was wondering if the above flow looks correct to you?
Thanks, Ian
Issue Analytics
- State:
- Created 3 years ago
- Comments:29 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Just had an update from the Azure AD B2C team: A fix for this issue will be deployed on the 21st August.
Fingers crossed it correctly implements the CORS protocol. I’ll test as soon as the fix has been deployed and update this issue accordingly.
@EdBlacker, the Azure AD B2C team deployed a fix for this issue on Friday. I ran some preliminary tests and it seems to work.
@bgavrilMS, unless @EdBlacker encounters further problems, I believe this issue can be closed now. Thanks for keeping it active while the issue was addressed.