OIDC connect with Microsoft and ORY Kratos returns CORS issue
I am using ORY kratos v1.0.0 self-hosted. I am trying to get oidc connect to work with microsoft azure (Sign in with mircosoft). I completed the app registration on Azure B2C, have the correct redirect URL, a client secret and have a green check for PKCE. I then set this up in my kratos.yml like this at providers.config
- id: microsoft
microsoft_tenant: common
provider: microsoft
client_id: xxxxxxxxxx
client_secret: xxxxxxxxxxxxxx
mapper_url: file:///etc/config/kratos/oidc.jsonnet
scope:
- email
The login always fails and I get this CORS issue returned by kratos:
"Unable to complete OpenID Connect flow because the OpenID Provider returned error "invalid_request": Proof Key for Code Exchange is required for cross-origin authorization code redemption."
(My other OIDC configs with google and github work.)
My kratos server lives on auth.mydomain.com my login screen lives on accounts.mydomain.com.
Any hints what could be the issue here?
The error might occur if you configured the redirect URL under Single-page application platform like this:
Note that, the redirect_uri of the External SSO / IDP should be registered as a "Web" instead of SPA.
To resolve the error, remove SPA redirect URI and add it in Web platform of your app registration:
- Issue with Group email address domain when create a new Microsoft 365 Group
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Get Azure Active Directory password expiry date in PowerShell
- Azure Logic App HTTP Request Authentication Scope
- Get all user properties from Microsoft graph
- Get User by email address using Microsoft Graph API
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Azure Permission - needed for creating resource group - RBAC
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- Updating App Registration's Configured permission without overwritten existing values
- Azure trusted signing Identity validation process stuck due to inability to upload required documents
- How to debug Bearer error="invalid_token"
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- .NET Core Multi Tenancy authentication
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Azure AD:Authenticate Devices