Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Damian

My feedback

  1. 194 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    22 comments  ·  Azure Active Directory » Application Proxy  ·  Flag idea as inappropriate…  ·  Admin →

    We are looking at enabling a feature that focuses on supporting CORS preflight requests between two applications. This works by allowing you to configure the response and have App Proxy handle it on behalf of the app.

    A pre-requisite for this feature to work is that the user must be able to authenticate into the second application in order to avoid a CORS issue from the login flow into the second app.
    To avoid this the user will have to make sure they have already accessed the 2nd application before the CORS request, and has valid credentials. This should work for wildcard apps and can also be achieved by adding a fake link / image to the 2nd application in the first application.

    We would love to get your feedback on this requirement and if this is something that will fit your use case.

    An error occurred while saving the comment
    Damian commented  · 

    Not sure if the above 5 Nov proposed solution improves anything.
    The requirement of the proposal of going to the second application first is our current workaround without CORS support in app proxy.

    The above proposal pre-requisite, bypasses the CORS issue, not solves it

    For example
    application A and B are published through app proxy on domains A and B

    1.) access application A on domain A
    2.) application A does ajax call with origin header to application/web services B on domain B
    3.) App proxy sees no azure app proxy cookies for domain B, and issues 302 redirect to login.microsoft.com without CORS headers
    4.) Browser doesn't follow redirect

    vs

    2.) access application B on domain B. browser caches app proxy cookies for this domain
    1.) access application A on domain A
    2.) application A does ajax call with origin header, with app proxy COOKIES, to application/web services B on domain B
    3.) App proxy sees azure app proxy cookies for domain B, and app proxy passes through the request to domain B

    the issue is the browser is not trusting login.microsoft.com in a AJAX request introduced by app proxy.

    I think the proposal should be, when app proxy handles a request to a app domain that contains a Origin header, but has not authenticated, the issued 302 redirect to login.microsoft.com should contain the CORS Allow in the response

    thank you

    Damian supported this idea  · 

Feedback and Knowledge Base