AADSTS9002327 error in Refresh Token Flow in Azure AD
I am getting below error when I attempt a Refresh Token Flow in Azure AD.
AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests
My problem is identical to what is shared below:
https://learn.microsoft.com/en-us/answers/questions/1312290/tokens-for-spa
My HTTP post contains the grant_type and refresh_token. I tried to include "origin", "redirection_uri" , "scope" etc but I still get the same error.
Is this problem with my HTTP Post message, with Azure AD app registration, or Azure AD itself?
I created an Azure AD SPA application:
Granted API permissions:
To authorize users, I used below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://ClientID/spaapp.access openid offline_access
&state=12345
&code_challenge=CodeChallenge
&code_challenge_method=S256
Generated access token by using below parameters via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:api://ClientId/spaapp.access openid offline_access openid offline_access
code:code
redirect_uri:https://jwt.ms
code_verifier:S256
And passed Origin as header:
Origin:https://jwt.ms
The error "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests" usually occurs if you are not passing origin as header or passing invalid parameters to refresh the access token.
To refresh the access token, make use of below parameters:
POST https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:refresh_token
redirect_uri:https://jwt.ms
refresh_token:RefreshToken
Make sure to pass Origin as header:
Origin:RedirectURL
I am able to successfully refresh the access token:
The scope parameter is optional. If you are not passing the scope, the original scopes will be used. Or you can request a set of scopes.
If still the issue persists, check the below:
- Make sure the Azure AD application is configured as SPA.
- Make sure the origin you are passing, and the redirect URL configured in the application matches.
- Ensure CORS is properly configured and the server is allowing requests from SPA.
- Azure Permission - needed for creating resource group - RBAC
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- Updating App Registration's Configured permission without overwritten existing values
- Azure trusted signing Identity validation process stuck due to inability to upload required documents
- How to debug Bearer error="invalid_token"
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- .NET Core Multi Tenancy authentication
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Azure AD:Authenticate Devices
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- Rename a user in Azure Devops
- My Azure AD B2C User Flow is not returning a token on jwt.ms