Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App)
AADSTS9002326: How to use Single-page App redirect urls
I followed the quickstart guide: Quickstart: Sign in to users and get an access token in a JavaScript SPA using the auth code flow with PKCE. Everything works great until I add a localhost web redirect URI like http://localhost:3030
. As soon as I do that, I get the error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’
. So, I figure that I then need to enable public client flows, so I turn that on. The next error I get is AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
I haven't changed my SPA redirect URI and suddenly it won't work when I add the localhost web URI. Why? It seems that other web redirect URIs work fine.
3 answers
Sort by: Oldest
-
-
Mike Kaply 6 Reputation points
2021-07-08T22:18:47.137+00:00 What API are you using to get the token? If you're using fetch, it adds an Origin: "null" and that seems to cause a problem with the Microsoft end point (even though it's correct per the spec).
I found that using XHR and making sure there was no Origin at all fixed this.
I believe this is a Microsoft bug, but I'm not sure how to report it.
-
John 31 Reputation points
2021-09-09T10:57:28.467+00:00 In case someone else encounters this error, check the URIs type in the Manifest file to be Spa and NOT Web. Even if you have set the platform in Authentication to Single-page applications, the URIs type might still be set to Web which will cause this error.
Check Manifest file!
Good luck.