Warm tip: This article is reproduced from stackoverflow.com, please click
azure-active-directory javascript oauth-2.0 powerbi

Access Token using JavaScript (CORS Policy) error

发布于 2020-05-26 18:37:29

I'm embedding Power BI Reports into another application using JavaScript and I could generate access token (Barear) using below JavaScript code but it doesn't work in all the browsers. It displays below error message.

Access to XMLHttpRequest at 'https://login.microsoftonline.com/<>/oauth2/token' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I added required request headers but still the same result. 

	 var key;  
	 var request = new XMLHttpRequest(); 
    request.open("POST", "https://login.microsoftonline.com/<<tenant_id>>/oauth2/token", true); 
  
	request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
	request.setRequestHeader('Access-Control-Allow-Headers', 'x-requested-with');
	request.setRequestHeader('Access-Control-Allow-Origin', '*');
    request.send("grant_type=client_credentials&client_id=<<clientid>>&client_secret=<<clientsecret>>&resource:<<resourceurl>>"); // specify the credentials to receive the token on request
    request.onreadystatechange = function () {
        if (request.readyState == request.DONE) {
            var response = request.responseText;
            var obj = JSON.parse(response); 
            key = obj.access_token; 
            token_ = key; 
        }
    }

Any ideas?

Thank you!

Questioner
Mittal Patel
Viewed
132
分享
Tony Ju 2020-03-11 09:38

You should never put the client secret in the front-end.

We suggest you use azure-activedirectory-library-for-js for frontend to integrate AAD with a ease. You can refer to No 'Access-Control-Allow-Origin' header with Microsoft Online Auth for details.

client_credentials grant_type is used in app only scenario. If you must use client credential flow, you need to get the access token in your app's backend and return it to the frontend.

Mittal Patel 1970-01-01 08:00:00

Thank you very much for your response, it was helpful. I tried ADAL.js code and I'm successfully getting the id_token in browser URL. I've one follow-up question on RedirectURI. What it should be? I'm embedding Power BI Reports in ServiceNow application. What should be Redirect URI in Azure AD App? Power BI URL or ServiceNow Page URL or something else?

Related issues

1
How to export Extension Attributes from Azure AD to csv using Powershell
2
How to call AAD graph from Ibiza extension
3
Azure AD App Service Authorization for a Blazor App in Azure App Svc
4
Can I configure the SSO SAML with an App Registration (not Enterprise Application)?
5
How to enable tenant restriction in a correct way
6
How to start using Service principal already created to update WorkItem in devops
7
how to do authentication and authorization for the users for the specific regions in azure AD?
8
How to validate the user id token after user password changes in AD B2C
9
How to Validate appid of the Azure AD Access
10
Azure DevOps Test plans for basic User?