I am working on Azure AD interactive login from my webapp. When a user logs in to my site he is redirected to the Azure login page, authenticated and returned to my site. This process involves a request to login.windows.net which redirects my browser to login.microsoftonline.com(which does the authentication). However I am getting a cors issue which states that redirect to login.microsoftonline.com has been blocked doe to no "Access Control Allow Origin" header from the requested source. I know it is possible to add this header when the requested resource is in my webapp, but in this case its not. My question is if login.microsoftonline.com doesn't return the header which causes this, how can I handle this issue from my webapp? Below is the error on my browser console.
XMLHttpRequest cannot load https://login.windows.net//oauth2/authorize?…......-4129-adea- ccdcbdeaa80e&nonce=c962fb8a-3c8c-4dec-9fbc-4f2fb8fcfde1. Redirect from 'https://login.windows.net//oauth2/authorize?…......-4129-adea-ccdcbdeaa80e&nonce=c962fb8a-3c8c-4dec-9fbc-4f2fb8fcfde1' to 'https://login.microsoftonline.com//oauth2/au….......-4129-adea-ccdcbdeaa80e&nonce=c962fb8a-3c8c-4dec-9fbc-4f2fb8fcfde1' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://my_host' is therefore not allowed access.
I was able to bypass this issue by passing the redirect url to a form action and triggering the submit using Javascript instead of directly redirecting to the url. CORS check is not done when the request comes from a form submit.