I have registered two apps using "App Registrations" in Azure AD. One as SPA and the Other as Web API. (Both of them are configured for implicit grant flow)
My SPA is developed using React and i am using "react-aad-msal" and when i try to access the UI i am getting the login and getting the id and access tokens as expected.
And from the UI i am trying to access the REST End Points exposed by the Web API. And that is when i am getting the CORS Error:
Access to XMLHttpRequest at 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=<CLIENT_ID>&scope=openid%20https://graph.microsoft.com/user.read&state=<STATE_ID>&redirect_uri=https://<MY_APP_DOMAIN>/datamallservice/login/oauth2/code/azure' (redirected from 'https://<MY_APP_DOMAIN>/appservice/getinfo') from origin 'https://www.mydomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
My SPA and Web API both are deployed behind the same ALB and have the same domain name
I checked the Request headers while SPA is trying to make a Rest Call to Web API and the Request header has the "authorization" header with the value "Bearer <TOKEN>" ( which i am setting using the idtoken value i got in the UI ) and i am also seeing in the Response header "access-control-allow-origin" is set to "*"
Not sure why i am getting the CORS Error.