question

LeosvelPerezEspinosa-6974 avatar image
LeosvelPerezEspinosa-6974 asked ·

Azure AD B2C: CORS issue with the metadata endpoint when trying to access from localhost

Hi,

I have an application that was working correctly until yesterday. Today, all of sudden with no change done on my side, it started to fail trying to access the metadata endpoint (.well-known/openid-configuration) with CORS.
It's not a matter of the metadata endpoint url being wrong because I haven't changed it and it was working yesterday. Also, if I copy the metadata endpoint url and access it directly in the browser, it loads correctly, but from the application is always giving CORS error.

I checked with Fiddler and the preflight request for the metadata endpoint is returning 404 which is causing the CORS issue.

Has something changed in AAD B2C which is causing this issue? I can't authenticate in the app locally because of this.

azure-active-directoryazure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeosvelPerezEspinosa-6974 avatar image
LeosvelPerezEspinosa-6974 answered ·

It turned out to be Application Insights client enableCorsCorrelation setting was adding the correlation header to every request, which the OIDC metadata endpoint does not support. By adding the AAD B2C tenant domain to the correlationHeaderExcludedDomains setting, or by setting the correlationHeaderDomains instead with the domains to include, the issue is solved.

1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Great! Thank you for sharing the resolution.

1 Vote 1 · ·
amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

Hi @LeosvelPerezEspinosa-6974, Could you please try with below CORS settings and test if it is working.

8595-untitled.png


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


untitled.png (18.6 KiB)
5 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft, thanks for replying.

That screenshot doesn't seem to be for the Azure AD B2C portal. My issue is trying to access the Azure AD B2C OpenId metatada endpoint https://<tenant-id>.b2clogin.com/<tenant-id>.onmicrosoft.com/<policy>/v2.0/.well-known/openid-configuration (I have the tenant-id and policy placeholder correctly replaced in my config).
I was using it fine until today. I have the redirect url "http://localhost:4200" configured correctly as it has been up until now.

0 Votes 0 · ·
amanpreetsingh-msft avatar image amanpreetsingh-msft LeosvelPerezEspinosa-6974 ·

@LeosvelPerezEspinosa-6974 Understood. I don't think there is anything changed with respect to that. I can access my OIDC metadata using below link:
https://amsin.b2clogin.com/amsin.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration

Could you please try to access your metadata from any browser. If it doesn't work, please let me know, I will look into it.

0 Votes 0 · ·

@amanpreetsingh-msft as I said in the original post, I'm able to access the OIDC metadata if I enter the url in the browser, but I'm not able to get it from the app itself which executes a GET request to obtain it. The preflight (OPTION) request is returning 404 causing the CORS error.

This was working up to yesterday and with no change on my side, it stopped working today.

To give a bit more of context, the problem is only on localhost, the app is deployed in an ".azurewebsites.net" domain and it works fine there. But it doesn't work in localhost, I have triple-checked the metadata url used in both and it's the exact same one, the code is exactly the same as well, the only difference is the host.

0 Votes 0 · ·
Show more comments