Solvedmicrosoft authentication library for js B2C Token endpoint CORS

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

  • msal@1.x.x or @azure/msal@1.x.x
  • @azure/msal-browser@2.x.x
  • @azure/msal-angular@0.x.x
  • @azure/msal-angular@1.x.x
  • @azure/msal-angularjs@1.x.x

Important: Please fill in your exact version number above, e.g. msal@1.1.3.

Framework

React 16.13.1

Description

As noted in #1683, there currently is an issue with the knownAuthorities property in the config for msal-browser. It was mentioned that this has since been fixed in the dev branch.

While waiting for 2.0.0-beta.3 to be released, i built the package from dev branch and published it on npm.

The authorization request now goes thru, but i'm hit with a CORS issue from the token endpoint in my Azure B2C tenant.

Error Message

Access to fetch at 'https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy/oauth2/v2.0/token' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Security

  • Is this issue security related?

Regression

  • Did this behavior work before?
    Version:

MSAL Configuration

// Provide configuration values here.
// For Azure B2C issues, please include your policies.
const config = {
 auth: {
  clientId: 'xxx',
  authority: 'https://tenant.b2clogin.com/tenant.onmicrosoft.com/policy',
  knownAuthorities: [ 'tenant.b2clogin.com ']
 }
}

Reproduction steps

// Provide relevant code snippets here.
// For Azure B2C issues, please include your policies.

Instead of using @azure/msal-browser, use msal-browser-dev-build ( this is published on my personal npm and is built from the current dev branch 2020-06-18 )

import * as msal from 'msal-browser-dev-build';

Expected behavior

The token request should go through when using code pkce in SPA apps.

Browsers/Environment

  • Chrome
  • Firefox
  • Edge (
  • Safari
  • IE
  • Other - Edge Beta
46 Answers

✔️Accepted Answer

We appreciate everyone's patience, I certainly understand the frustration. I know it has taken a while and we've now reached the date that was previously communicated but we're in the home stretch! I've been told the CORS fix started deployment late last week and is expected to be completed this week. You will not need to update MSAL when it completes as long as you are on a stable release of the library.

There is one other issue to keep an eye on before you deploy an app to production, please see #1999 for that issue. The service team is currently working on a fix for that as well and is expecting to complete that work very soon after the CORS fix.

Additionally, we have PR #2148 open to add a B2C specific sample to our repo. We are waiting to merge until these two issues are resolved. Once this PR is merged you can take that as a sign that we consider B2C GA'ed and ready to support in msal-browser@2.x

Other Answers:

@rnarayana We don't have a public issue reference but we're expecting this to be resolved by the end of the week, I will update if that changes.

So today is the last day of the month. Any news? Can we expect a release this week?

Apologies for the delay. We absolutely support B2C, and a fix for the token endpoint CORS issue is currently being rolled out to AAD. We're waiting confirmation from the server team, we'll follow up when we know more. Thanks!

Update: The CORS fix will complete rollout sometime today. I just tried on my own B2C tenant and the issue seems to be resolved. Please give it try and if it's still giving you an error try it again tomorrow as it may take some time to roll out to all users. I will leave this issue open for a few days in case some of you are still experiencing issues after tomorrow.

Please do keep in mind that B2C still has one pending issue (#1999) before we consider this supported and can recommend anyone use B2C with msal-browser in production apps. That issue is currently being worked on and is expected to be completed as early as next week, pending testing and deployment.