Closed andoks closed 3 months ago
andoks
commented
3 months ago Assuming it is the cause of the issue, may I suggest adding a flag for setting the origin in the token request, perhaps with two modes --request-token-with-origin = use default origin, --request-token-with-origin="http://example.com" = use specified value as origin.
EDIT: I reverted the change in #108 and request started working.
mbilski
commented
3 months ago Hi @andoks
In https://github.com/cloudentity/oauth2c/commit/f6c72a2eb944cbb088fba2c4caae5336120612d0 I'm adding the Origin header only if the auth method is None.
I think this way we can solve both issues without introducing any new flags.
andoks
commented
3 months ago Thanks! It seems to have fixed the issue for me :+1:
Authenticating using oauth2c when application is configured as "web" in MS Entra fails using v1.14 with the error
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'http://localhost:9876'. Trace ID:....The same configuration works with v1.13, leading me to believe this is caused by the change introduced in https://github.com/cloudentity/oauth2c/pull/108. I suspect MS Entra errors out if the Origin header is set and the application is of "web" type instead of "single page application" type.