AADSTS9002327 error in Refresh Token Flow in Azure AD
I am getting below error when I attempt a Refresh Token Flow in Azure AD.
AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests
My problem is identical to what is shared below:
https://learn.microsoft.com/en-us/answers/questions/1312290/tokens-for-spa
My HTTP post contains the grant_type and refresh_token. I tried to include "origin", "redirection_uri" , "scope" etc but I still get the same error.
Is this problem with my HTTP Post message, with Azure AD app registration, or Azure AD itself?
I created an Azure AD SPA application:
Granted API permissions:
To authorize users, I used below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://ClientID/spaapp.access openid offline_access
&state=12345
&code_challenge=CodeChallenge
&code_challenge_method=S256
Generated access token by using below parameters via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:api://ClientId/spaapp.access openid offline_access openid offline_access
code:code
redirect_uri:https://jwt.ms
code_verifier:S256
And passed Origin as header:
Origin:https://jwt.ms
The error "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests" usually occurs if you are not passing origin as header or passing invalid parameters to refresh the access token.
To refresh the access token, make use of below parameters:
POST https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:refresh_token
redirect_uri:https://jwt.ms
refresh_token:RefreshToken
Make sure to pass Origin as header:
Origin:RedirectURL
I am able to successfully refresh the access token:
The scope parameter is optional. If you are not passing the scope, the original scopes will be used. Or you can request a set of scopes.
If still the issue persists, check the below:
- Make sure the Azure AD application is configured as SPA.
- Make sure the origin you are passing, and the redirect URL configured in the application matches.
- Ensure CORS is properly configured and the server is allowing requests from SPA.
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?