[Feature Request] Origin header missing on SPA token request

[JeffreyStevens]

When using the interactive_sample.py for my Azure AD FS server using the PKCE flow, the oauth2.py method _obtain_token() does not inject an Origin header as required by our Application tenant token endpoint, so I wound up hardcoding an origin header with a value of http://localhost:8000 just to get it to work. Could this be made a configuration value?

Also, it would be nice if the browser tab opened by authcode.py method _browse could be closed on success so as not to annoy users.

[rayluo]

When using the interactive_sample.py for my Azure AD FS server using the PKCE flow, ...
inject an Origin header as required by our Application tenant token endpoint

AFAIK, PKCE specs does not require an Origin header. Where does that requirement come from? Is it a special requirement only needed for that AD FS server? Does that server also require Origin even when not using PKCE? We need more info to understand how/whether to support this case.

[JeffreyStevens]

I'll have to ask one of our Principal engineers about it, but it does appear to be the token endpoint call returns a

AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.

error and it goes away if I add the Origin header. It may not be related to PKCE, I just noticed that term in the code at the obtain_token_by_browser() method. I should probably add I'm using an AD application registration for a SPA application that I own, not a new one specifically for this Python code.

[rayluo]

Quick question to @JeffreyStevens . If you hardcode an origin header with the string null, will it still work?

[JeffreyStevens]

It does not, returns Token acquisition failed. Here is the code mod:

[bgavrilMS]

I should probably add I'm using an AD application registration for a SPA application that I own, not a new one specifically for this Python code - this is probably the culprit. Only MSAL JS supports the SPA scenario and while I am not an expert, it does deal with cross origin and other browser-y aspects.

Pls create a new app reg. Feel free to use a personal tenant if just for testing.

[JeffreyStevens]

I have gotten MSAL JS working as you mentioned. I'm new to Python as I have a new job so I'm trying to replicate oauth flows I had working in JS. Would you consider adding a configuration option for this anyway?

[rayluo]

Quick question to @JeffreyStevens . If you hardcode an origin header with the string null, will it still work?

It does not, returns Token acquisition failed. Here is the code mod:

No, I said "string null". Try _header['Origin'] = "null" and see how that goes.

[JeffreyStevens]

What magic is this?! Interactive works with "null"! On the downside, I think it breaks the confidential_client_secret_sample.py because that fails unless I remove the Origin header. So, this makes both work.

[rayluo]

What magic is this?! Interactive works with "null"! On the downside, I think it breaks the confidential_client_secret_sample.py because that fails unless I remove the Origin header.

I cannot reproduce it breaking confidential_client_secret_sample. Perhaps you would like to double check?

Regardless, the null was just an experiment. More time will be needed to evaluate different options. We will probably need to wait until many of my colleagues return from their holiday vacation.

Meanwhile, @JeffreyStevens you already have a workaround, and ideally you shall consider using a non-SPA app for your Python script, so that you won't run into this issue in the first place.