This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 35%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Hi,
I have an application that was working correctly until yesterday. Today, all of sudden with no change done on my side, it started to fail trying to access the metadata endpoint (.well-known/openid-configuration) with CORS.
It's not a matter of the metadata endpoint url being wrong because I haven't changed it and it was working yesterday. Also, if I copy the metadata endpoint url and access it directly in the browser, it loads correctly, but from the application is always giving CORS error.
I checked with Fiddler and the preflight request for the metadata endpoint is returning 404 which is causing the CORS issue.
Has something changed in AAD B2C which is causing this issue? I can't authenticate in the app locally because of this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 24%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEL%3C/text%3E%3C/svg%3E)
Hi Leo,
to me happend exactly the same today, before i moved anything on the website configuration.
I would recommend you to test the B2C Workflow ,there on B2C and i got the same problem.
later same day everything worked again... any thoughts?
What could the insights trouble here?
if you are calling your website from other website then i would relate this to CORS, but i dont think that was the case
It turned out to be Application Insights client enableCorsCorrelation setting was adding the correlation header to every request, which the OIDC metadata endpoint does not support. By adding the AAD B2C tenant domain to the correlationHeaderExcludedDomains setting, or by setting the correlationHeaderDomains instead with the domains to include, the issue is solved.
Great! Thank you for sharing the resolution.
Hi @Leosvel Perez Espinosa , Could you please try with below CORS settings and test if it is working.
-----------------------------------------------------------------------------------------------------------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
Hi @AmanpreetSingh-MSFT , thanks for replying.
That screenshot doesn't seem to be for the Azure AD B2C portal. My issue is trying to access the Azure AD B2C OpenId metatada endpoint https://<tenant-id>.b2clogin.com/<tenant-id>.onmicrosoft.com/<policy>/v2.0/.well-known/openid-configuration (I have the tenant-id and policy placeholder correctly replaced in my config).
I was using it fine until today. I have the redirect url "http://localhost:4200" configured correctly as it has been up until now.
@Leosvel Perez Espinosa Understood. I don't think there is anything changed with respect to that. I can access my OIDC metadata using below link:
https://amsin.b2clogin.com/amsin.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration
Could you please try to access your metadata from any browser. If it doesn't work, please let me know, I will look into it.
@AmanpreetSingh-MSFT as I said in the original post, I'm able to access the OIDC metadata if I enter the url in the browser, but I'm not able to get it from the app itself which executes a GET request to obtain it. The preflight (OPTION) request is returning 404 causing the CORS error.
This was working up to yesterday and with no change on my side, it stopped working today.
To give a bit more of context, the problem is only on localhost, the app is deployed in an ".azurewebsites.net" domain and it works fine there. But it doesn't work in localhost, I have triple-checked the metadata url used in both and it's the exact same one, the code is exactly the same as well, the only difference is the host.
@AmanpreetSingh-MSFT I managed to pinpoint the issue. When I said above that I was running in localhost with the same code I wasn't completely accurate. I was referring to the authentication code being exactly the same, but I do have other changes.
The issue arise when I enable Application Insights tracking in my web application.
When it's enabled I noticed the failing OPTION request sends the following among the headers:
Access-Control-Request-Headers: request-id
So, I'm assuming the request-id is not allowed by the OIDC metadata endpoint and therefore the CORS occurs.
Is that the case? If that's the case, shouldn't it be allowed? I'd expect to be able to track all dependencies including AAD B2C.
And BTW, yesterday Application Insights was working fine, I was able to see the transactions (look at the date range):
@AmanpreetSingh-MSFT I went deeper and the issue occurs only when I set the ApplicationInsights client setting enableCorsCorrelation to true. That's why yesterday everything was working fine, because I didn't have that setting set to true.
With that in place, if I now set correlationHeaderExcludedDomains to exclude the <tenant-id>.b2clogin.com domain, it won't set the correlation header to that call and everything works.