MSAL tokens cause preflight requests

Library

msal@1.x.x or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x

Description

When the authentication is done by MSAL (client side) the token is stored in the browser’ storage and not in a cookie. Making requests to 3rd party services like Microsoft Graph with Authorization header yields preflight (OPTIONS) requests that in no time can lead to bottleneck. Getting 1 people info (name + avatar) requires 4 requests. Getting 2 people info requests 8 requests - which are more that most browser limits (6 requests per domain).

Is there any way to use the MSAL but skip the preflight requests? (storing the token in a cookie for example)

Source

Internal (Microsoft)
Customer request

Issue Analytics

State:
Created 3 years ago
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

hrazmsftcommented, Mar 15, 2021

I see. Thank you!

0reactions

pkanher617commented, Mar 15, 2021

The Authorization header is not considered a “simple request header”, which is why you are seeing a pre-flight request. I would reach out to the Graph API support to see if there are other ways to avoid these preflight requests, such as sending the authorization information in the query string instead of a header. It’s possible that the browser may cache these preflight requests as well, so I would look into that as well. Unfortunately after retrieving the tokens, there is nothing we can do to stop these options requests. We are looking at making our /token requests simple requests today in order to remove the preflight requests from the token acquisition calls as well.