We are trying to implement Azure AD B2C authentication with a web app using implict flow. We can login and successfully get redirected to the correct url which includes the correct items on the redirect url (id_token&code). However, as this article suggests (https://github.com/Azure/azure-content/blob/master/articles/active-directory-b2c/active-directory-b2c-reference-oidc.md#get-a-token) the app then needs to perform a xhr POST request to the token endpoint to retrieve a token for a resource (web api) the app needs to interact with. However, when I try and do an XHR POST to that token endpoint (https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p=b2c_1_signinpolicy) the browser (quite rightly) performs a preflight check (an OPTIONS call) to determine if it can call the endpoint as it is on a different domain. The OPTION call works but it does not contain the required headers (Access-Control-Allow-Origin) for the browser to allow the POST call to the endpoint.
Am I missing something or doing something wrong?
Any help appreciated!
Jon
The Azure AD auth endpoints (B2C or otherwise) don't support CORS, nor will they ever.
For Javascript apps, we use the implicit flow with response_type=token or response_type=id_token to get tokens directly from the authorize endpoint - no CORS necessary. Feel free to try it out, it should work just fine.
The reason we say Javascript apps are unsupported right now is because after one hour, the id_token/access_token you get using this method will expire. And we don't have a way to refresh/get a new token silently. This means in the best case, your Javascript app will have to redirect to AAD every hour.
We don't think that's acceptable, so we're working on a feature that will solve this problem. But for now we'll continue to call Javascript apps unsupported.