Missing Origin Header

[ian-cahila-maersk]

Upon looking the codes, I was wondering if there's any way to specify additional headers aside from the default ones? Advance thanks for the insights. :)

oauth2.py
def _obtain_token( # The verb "obtain" is influenced by OAUTH2 RFC 6749
self, grant_type,
params=None, # a dict to be sent as query string to the endpoint
data=None, # All relevant data, which will go into the http body
headers=None, # a dict to be sent as request headers
post=None, # A callable to replace requests.post(), for testing.
# Such as: lambda url, **kwargs:
# Mock(status_code=200, text='{}')
**kwargs # Relay all extra parameters to underlying requests
): # Returns the json object came from the OAUTH2 response
_data = {'client_id': self.client_id, 'grant_type': grant_type}

I can't find a way for the headers parameter to be supplied from the outside.

Btw, I'm using the available python code for Flask.

[rayluo]

We do not expose additional headers as parameter in MSAL's API surface. Why would you want to do so? Can you describe your scenario first, before we start discussing the implementation, so that we avoid the XY problem?

BTW, what did you mean by "using the available python code for Flask"? Are you using any of our flask-based samples? If so, please also leave its link so that we know specifically which one.

UPDATE: Future readers can skip the lengthy conversation and just head to the final solution here.

[rayluo]

I tried running this repo as well and it returned the same thing, ......

Here's the snap of the error,

But this AADSTS9002325 is different than your earlier message's AADSTS9002327. They are not the same thing. You may create a new conversation on the new topic, but in this conversation, let's stick with the first sample and focus on the AADSTS9002327 error first. We will take a look soon. Meanwhile, have you tried to register your app as NOT a Single-Page Application? Python-powered apps are typically not SPAs.

[ian-cahila-maersk]

Alright! I just considered them similar since they're both pertaining to CORS but got your point.

Ahm no I haven't tried that. That option doesn't seem to be available on Azure App Registration but I'll try to have a look on this. Tho, I have a workaround on this, I created my own http_client overriding the one created by the msal module and I just added the Origin header on the client and the app began working fine.

[rayluo]

@ian-cahila-maersk , your proposal/workaround of customizing Origin could be unnecessary in the first place. Have you tried my previous suggestion 26 days ago, to either confirm or rule out that cause?

Meanwhile, have you tried to register your app as NOT a Single-Page Application? Python-powered apps are typically not SPAs.

[rayluo]

In fact, I can reproduce your "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests" error, if I deliberately configure my web app as a SPA app (and also skipping its CLIENT_SECRET in my app implementation) - but those were the wrong way to configure/use a web app.

If this was indeed your configuration, I'd suggest you to delete the SPA section, and configure your app as a Web app (or a Desktop app, for that matter). Or you could still have your SPA configuration and your Web/Desktop app configuration co-exist, as long as their redirect_uri are different than each other.

[ian-cahila-maersk]

Yes, it worked! My fault is that I was hesitant to make changes on the current implementation in the organization. I added the redirect_uri in the web app section and it still works fine and I agree with what you said about what I did as an incorrect way of doing this. I appreciate your help @rayluo. Thanks!

[rayluo]

(The following content was buried deep down here in the lengthy conversation, and we copied it here for visibility.)

... I can reproduce your "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests" error, if I deliberately configure my web app as a SPA app (and also skipping its CLIENT_SECRET in my app implementation) - but those were the wrong way to configure/use a web app.

If this was indeed your configuration, I'd suggest you to delete the SPA section, and configure your app as a Web app (or a Desktop app, for that matter). Or you could still have your SPA configuration and your Web/Desktop app configuration co-exist, as long as their redirect_uri are different than each other.