ADFS 2016 - CORS issue for OpenID Connect Discovery Endpoint

Question

I'm trying to set up our Angular SPA + .ASPNET Core API with ADFS (on premises) to get rid of windows authentication. Ultimately the goal would be:

• Angular SPA - > Redirects user to ADFS and receives id_token back
• Angular SPA - > Uses this token to call API
• Angular SPA - > Refreshes the token from time to time

The Angular SPA and API are correctly configured on ADFS. I'm using angular-oauth2-oidc to configure the spa.

The issue is: when loading the SPA I get a CORS error when the SPA tries to reach the OpenId Discovery endpoint (.well-known/openid-configuration). So I cannot even redirect the user to ADFS. Nothing works.

I looked a lot online and only found lots of other people saying that ADFS doesn't support CORS. Seems strange though. Microsoft claims that they support Single Page Applications, so you already more or less assume that ADFS will be receiving CORS requests.

Has anyone else bumped into this issue? Seriously that Microsoft had implemented this and didn't built in a way to allow CORS requests?

Edit: I also tried creating a wrapper around adal.js. I managed redirecting the user to ADFS, logging in and get the id_token. The issue now is that the sts returns the aud claim for the spa in the token, not for the api. When SPA uses the token to call the API it as expected fails. Feels like I have hit a dead end on this.

Answer 1

Not possible in ADFS 2016, not solved in ADFS 2018 (So far).

https://social.technet.microsoft.com/Forums/en-US/efcb35b3-f0f6-4c83-8a34-8e939aa56e7f/adding-cors-headers-to-oidc-discovery-endpoint-in-adfs-2016?forum=ADFS

Jeff