-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Origin header missing on SPA token request #641
Comments
AFAIK, PKCE specs does not require an |
I'll have to ask one of our Principal engineers about it, but it does appear to be the token endpoint call returns a
error and it goes away if I add the Origin header. It may not be related to PKCE, I just noticed that term in the code at the obtain_token_by_browser() method. I should probably add I'm using an AD application registration for a SPA application that I own, not a new one specifically for this Python code. |
Quick question to @JeffreyStevens . If you hardcode an origin header with the string |
Pls create a new app reg. Feel free to use a personal tenant if just for testing. |
I have gotten MSAL JS working as you mentioned. I'm new to Python as I have a new job so I'm trying to replicate oauth flows I had working in JS. Would you consider adding a configuration option for this anyway? |
No, I said "string |
I cannot reproduce it breaking confidential_client_secret_sample. Perhaps you would like to double check? Regardless, the Meanwhile, @JeffreyStevens you already have a workaround, and ideally you shall consider using a non-SPA app for your Python script, so that you won't run into this issue in the first place. |
When using the
interactive_sample.py
for my Azure AD FS server using the PKCE flow, theoauth2.py
method_obtain_token()
does not inject anOrigin
header as required by our Application tenant token endpoint, so I wound up hardcoding an origin header with a value ofhttp://localhost:8000
just to get it to work. Could this be made a configuration value?Also, it would be nice if the browser tab opened by
authcode.py
method_browse
could be closed on success so as not to annoy users.The text was updated successfully, but these errors were encountered: