AZURE API : AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type Error

Question

I am trying to call a Azure Token retrieval API endpoint from a SAP Fiori application via a BTP destination. Getting below error while executing the token retrieval call.

Below is my destination:

Alternatively when I try to call the actual API endpoint with OAuth2UserTokenExchange I am getting HTTP 500 Internal Server error without any error description.

Answer 1

I tried to reproduce the same in my environment in Postman and got the same error as below:

The error "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type" usually occurs if you are using PKCE flow/SPA authentication and the Azure AD Application is configured as web like below:

To resolve the error, make sure to configure the Azure AD Application as SPA like below:

After the above changes, I am able to get the access token successfully like below:

Make sure to add origin in the Headers:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:https://graph.microsoft.com/.default 
grant_type:authorization_code
code:code
code_verifier:S256
redirect_uri:https://jwt.ms

In your case, add the redirect URI https://port8080-workspace***** as SPA in Authentication blade of the Azure AD Application.

Answer 2

i had a similar issue. But i had more than one platform registered in Azure App registration.

We had a mobile platform which had a Redirect URL: http://localhost And my SPA had: http://localhost:3000.

I think they were conflicting. I removed from the mobile and everything started working