Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra ID - SPA application without Origin error gives an error. #260

Closed
BryanVictis opened this issue Jan 22, 2025 · 4 comments · Fixed by #263
Closed

Entra ID - SPA application without Origin error gives an error. #260

BryanVictis opened this issue Jan 22, 2025 · 4 comments · Fixed by #263

Comments

@BryanVictis
Copy link

The issue is similar as to the one described here.
https://stackoverflow.com/questions/61231144/getting-access-tokens-from-postman-tokens-issued-for-the-single-page-applicati

When I try to validate an authorizationcode like so:

const entraId = new arctic.MicrosoftEntraId(env.MS_TENANTID, env.MS_CLIENTID, null, env.MS_REDIRECTURI);
const tokens = await entraId.validateAuthorizationCode(code, codeVerifier);

validateAuthorizationCode failes with the error:
"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests."

When I edit request.js in the function createOAuth2Request(endpoint, body) ...

export function createOAuth2Request(endpoint, body) {
    const bodyBytes = new TextEncoder().encode(body.toString());
    const request = new Request(endpoint, {
        method: "POST",
        body: bodyBytes
    });
    request.headers.set("Content-Type", "application/x-www-form-urlencoded");
    request.headers.set("Accept", "application/json");
    // Required by GitHub, and probably by others as well
    request.headers.set("User-Agent", "arctic");
    // Required by Reddit
    request.headers.set("Content-Length", bodyBytes.byteLength.toString());
    request.headers.set("Origin", "http://localhost"); // This is the line I've added, obviously we shouldn't hardcode localhost here.
    return request;
}

Adding the proper "Origin" error makes the request valid without an error.
@pilcrowonpaper
Copy link
Owner

Thanks for reporting the issue. Does the origin of the redirect URI and Origin header need to match? If you change the Origin header to http://random.com, does it still work?

@BryanVictis
Copy link
Author

I'll test this next week when I will be working on the same project again.

@BryanVictis
Copy link
Author

Hello again,

I've tested the issue again.
Unexpectedly the value for the Origin header doesn't matter, it doesn't even have to be a valid url.
I've tested with "abc" and it passed just fine.

As soon as I ommit the Origin header I get the error again.

@pilcrowonpaper
Copy link
Owner

That's really surprising, thanks for testing it!

@pilcrowonpaper pilcrowonpaper mentioned this issue Feb 1, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release v3.2.2 pilcrowonpaper/arctic
2 participants
@pilcrowonpaper @BryanVictis