AADSTS9002326: How to use Single-page App redirect urls

Question

I followed the quickstart guide: Quickstart: Sign in to users and get an access token in a JavaScript SPA using the auth code flow with PKCE. Everything works great until I add a localhost web redirect URI like http://localhost:3030. As soon as I do that, I get the error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’. So, I figure that I then need to enable public client flows, so I turn that on. The next error I get is AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.

I haven't changed my SPA redirect URI and suddenly it won't work when I add the localhost web URI. Why? It seems that other web redirect URIs work fine.

Answer 1

In case someone else encounters this error, check the URIs type in the Manifest file to be Spa and NOT Web. Even if you have set the platform in Authentication to Single-page applications, the URIs type might still be set to Web which will cause this error.

Check Manifest file!

Good luck.

Answer 2

Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App)

Answer 3

What API are you using to get the token? If you're using fetch, it adds an Origin: "null" and that seems to cause a problem with the Microsoft end point (even though it's correct per the spec).

I found that using XHR and making sure there was no Origin at all fixed this.

I believe this is a Microsoft bug, but I'm not sure how to report it.