The logic that fetches an initial access_token has a fall back/retry path for SPA applications which need an 'origin' header. For the part that fetches a refresh token, this fall back was not there. Instead, an 'origin' would always be set for Azure endpoints but this causes issues with application that use the 'Mobile and desktop applications' platform authentication which will throw an error if an 'origin' header is set. This change should fix this issue by tackling both paths in the same way.
Changes
The logic that fetches an initial access_token has a fall back/retry path for SPA applications which need an 'origin' header. For the part that fetches a refresh token, this fall back was not there. Instead, an 'origin' would always be set for Azure endpoints but this causes issues with application that use the 'Mobile and desktop applications' platform authentication which will throw an error if an 'origin' header is set. This change should fix this issue by tackling both paths in the same way.
Tests
make test
run locallymake fmt
applied