CORS for token endpoint
For SPA Native applications, for instance Ionic/Cordova Apps, seems convenient to use code grant with PKCE flows.
In this kind of apps, the requests are performed by the embedded browser, not by native OS. When the apps try to redeem the code to get the tokens if appears an error due to the fact that /token endpoint doesn't enable CORS.
Is there any plan to allow CORS configuration in Azure AD as it has been already implemented in ADFS 2019 (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server#suppport-for-building-modern-line-of-business-apps)?
This is now under development – you can track progress in the MSAL.JS issue tracker here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1000
Sébastien sougnez commented
Hello, any advance on this?
Could we just get this on the server end on the token endpoint?
IYYAPPAN AMIRTHALINGAM commented
Any Update ?
Using code grant with PKCE has been best current practice for more than a year now, also for SPAs.
We really need Azure AD and Azure AD B2C to support CORS on the token endpoint.
Stefan Fuhrmann commented
We have just started the development of an Ionic app and want to use Azure AD B2C, but this CORS issue is stopping us from getting a token out of the authorization code using the token endpoint.
It would be great if it would be possible to set these CORS options on the B2C configuration page in the Azure portal.
Daniel Zientek commented
Any update on this? This is really needed.
We really need this as well!
Chris Atkin commented
This is very important for us, as CORS support on the token endpoint would allow us to move away from implicit flow, receive groups in the token, and mitigate URL length limits by not having tokens in the URL.