Microsoft-authentication-library-for-js: Access to fetch at 'https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize' (redirected from 'https://localhost:44368/api/values') from origin 'client domain' has been blocked by CORS policy

Library

• [x] `@azure/[email protected]

Trying to access a custom .NET API hosted in local using IIS express (localhost) and secured with Azure AD using a Single page client application that uses msal-browser for authentication. I get the following error

Access to fetch at 'https://login.microsoftonline.com//oauth2/v2.0/authorize?client_id=xxx4f96-a766-4ec18f91802c&redirect_uri=https%3A%2F%2Flocalhost%3A44368%2F&response_mode=form_post&response_type=id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3xxxxx&nonce=xxxxDJmMmJiMjkx&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0' (redirected from 'https://localhost:44368/api/values') from origin '' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Steps to reproduce

1. Register a azure ad app. Use the quickstart to download the sample from the registered app in the azure portal.

2. This downloads the sample code from https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet with the required config values like client id, tenant id and redirect URI (localhost:44368).

Update the same redirect URI localhost:44368 in the azure ad app registration as well. Add a scope user_impersonation and under implicit grant id tokens is enabled.

Make the required changes to the code downloaded like adding a sample API controller, changes to global.asax to register webapiconfig, decorating the sample controller with Authorize attribute also add EnableCors attribute with origin as SharePoint top level site URL ( Tried with all origins (*) as well).

The api when accessed via browser works fine. asks the user to authenticate and returns response on successful authentication

Create a client app and, add the msal authentication code to access the API.

From the fiddler trace I see the following:

The API endpoint is called successfully with a bearer token. This results in a response "{"Message":"Authorization has been denied for this request."}". This also results in a 302 redirect to the authorization endpoint for a ID token

https://login.microsoftonline.com/oauth2/v2.0/authorize?client_id=xxx&redirect_uri=https%3A%2F%2Flocalhost%3A44368%2F&response_mode=form_post&response_type=id_token&scope=openid%20profile

This redirect results in the error mentioned above. ( CORS issue)

MSAL Config

const msalConfig: msal.Configuration = {
auth: {
clientId: "xxx",
authority:
"https://login.microsoftonline.com/"tenant id"",
redirectUri:
"client application url",
},
system: {
iframeHashTimeout: 10000,
loggerOptions: {
loggerCallback: (level, message, containsPii) => {
if (containsPii) {
return;
}
switch (level) {
case msal.LogLevel.Error:
console.error(message);
return;
case msal.LogLevel.Info:
console.info(message);
return;
case msal.LogLevel.Verbose:
console.debug(message);
return;
case msal.LogLevel.Warning:
console.warn(message);
return;
}
},
},
},
};

Browsers/Environment

• [x] Chrome