MSAL tokens cause preflight requests

[hrazmsft]

Library

• [ ] msal@1.x.x or @azure/msal@1.x.x
• [x] @azure/msal-browser@2.x.x
• [ ] @azure/msal-node@1.x.x
• [x] @azure/msal-react@1.x.x
• [ ] @azure/msal-angular@0.x.x
• [ ] @azure/msal-angular@1.x.x
• [ ] @azure/msal-angular@2.x.x
• [ ] @azure/msal-angularjs@1.x.x

Description

When the authentication is done by MSAL (client side) the token is stored in the browser' storage and not in a cookie. Making requests to 3rd party services like Microsoft Graph with Authorization header yields preflight (OPTIONS) requests that in no time can lead to bottleneck. Getting 1 people info (name + avatar) requires 4 requests. Getting 2 people info requests 8 requests - which are more that most browser limits (6 requests per domain).

Is there any way to use the MSAL but skip the preflight requests? (storing the token in a cookie for example)

Source

• [x] Internal (Microsoft)
• [ ] Customer request

[pkanher617]

@hrazmsft MSAL doesn't make requests to 3rd party services. The only requests made by MSAL are to the authority specified to retrieve tokens. This is most likely something you are doing in your app.

The reason you are seeing OPTIONS preflight requests is because there are headers in the request you are making to the Graph endpoint that contain headers that aren't considered as part of a CORS simple request. I suggest reviewing these requests and see if you can ensure that the headers being sent are required.

[hrazmsft]

Yes I know all of that. I'm asking if there is a way to use the token in a different way, for example as cookie, to avoid sending Headers and trigger preflight requests...

[hrazmsft]

For example, in your NextJS example, you inject the token from MSAL to the Authorization header, which triggers preflight requests. Is there any way to avoid it with MSAL?

[pkanher617]

The Authorization header is not considered a "simple request header", which is why you are seeing a pre-flight request. I would reach out to the Graph API support to see if there are other ways to avoid these preflight requests, such as sending the authorization information in the query string instead of a header. It's possible that the browser may cache these preflight requests as well, so I would look into that as well. Unfortunately after retrieving the tokens, there is nothing we can do to stop these options requests. We are looking at making our /token requests simple requests today in order to remove the preflight requests from the token acquisition calls as well.

[hrazmsft]

I see. Thank you!