Getting access tokens from Postman: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests

12
votes

We recently made a switch from Implicit Grant Flow to Authorization Code Flow with PKCE for our application, and now we're having some trouble getting access tokens from Azure AD from Postman. The app is registered in Azure AD and we're basically using the Postman procedure described here: https://developer.mypurecloud.com/api/rest/postman/index.html#enable_authorization. Calling the https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize endpoint works ok, but it hits an error when calling https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token:

"Error: Cound not complete OAuth 2.0 token request: "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.\r\nTrace ID: 8253f622-3425-4d0a-817c-281f86097300\r\nCorrelation ID: 9d84460f-ec02-4ace-af03-14d948e3d4ad\r\nTimestamp: 2020-04-15 14:02:03Z"

This is the access token request: enter image description here

How can we get access tokens from Azure AD using Postman with this authorization flow?

6
azure-active-directoryauthorizationpostman
You have to request for auth code first then with this code have to request for access token.Md Farid Uddin Kiron
Postman does this automatically with this "request token" module. First it calls the Auth URL to get the auth code, then the token URL to get the access token. However there is a CORS issue here that I do not understand.PalBo
@PalBo I have a similar problem here. Did you manage to find a solution for this?Maruthi Adithya
Currently I am getting the access token from the browser by logging in with username and password. Maybe you can find some answers here: github.com/postmanlabs/postman-app-support/issues/3825PalBo

6 Answers

6
votes

Apparently this is a problem as the documentation is confusing.

Over the Azure Active Directory App Registration. Make sure you add the redirect url over the "Mobile and desktop applications" category.

When you read the documentation looks like you need to add the Redirect URL under the Single Page Apps. It even shows confirmation message saying "Your Redirect URI is eligible for the Authorization Code Flow with PKCE." but is not true.

1
votes

This error can occur when the "Origin" header is missing from the request (see: GitHub comment).

Try adding the header:

Origin: http://localhost
1
votes

If you're experiencing this failure whilst trying to authenticate using Postman, ensure that you have a platform authentication for Web.

Go to Azure AD > App Registrations > {your app reg} > Authentication > Add a platform. Redirect URI should be https://oauth.pstmn.io/v1/callback when using the browser.

0
votes

I was able to resolve this by doing the following:

Within the Azure Portal:

  1. Navigate to the App Registration that you are using for your protected API.
  2. Next, navigate to the Authentication blade within the Manage menu.
  3. Within your Single-page application platform, add the following Redirect URI, https://oauth.pstmn.io/v1/callback.
  4. Save these changes within the Azure Portal.

Next, within Postman's New Token Configuration:

  1. Manually set the Callback URL to the same URI specified above (i.e. https://oauth.pstmn.io/v1/callback).

Once the above are done, clear your cookies from within Postman, and re-attempt retrieval of the token.

Postman

-1
votes

1.You should first get the code in the browser,Enter the following request information in the browser address bar:

enter image description here

enter image description here

2.Then enter the obtained code and other request information in postman, you will get the access token enter image description here 3.Please check: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

-1
votes

To get an refresh_token you have to add "offline_access" to the scope.

The documentation of the response to the access token request says:

An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires. Refresh_tokens are long-lived, and can be used to retain access to resources for extended periods of time. For more detail on refreshing an access token, refer to the section below. Note: Only provided if offline_access scope was requested.

Documentation