Introduction

This post is to help explain what is occurring when the CORS redirection error occurs when trying to navigate back to the login page after logging in. This doesn’t occur when the user is using a private browsing method/mode. The error that is typically received is error :

“Failed to load https://login.windows.net/{GUID} (index):{GUID}/oauth2/autho…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D1518029528427: Redirect from ‘https://login.windows.net/…{GUID}&oauth2/autho…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D1518029528427′ to ‘https://login.microsoftonline.com/{GUID}/oaut…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D158029528427′ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘{my-origin}’ is therefore not allowed access.”

Reason Why This is Occurring

In a typical scenario after a user authenticates to Azure AD to log into an application, Azure App Service sets a cookie called “AppServiceAuthSession” for that authenticated session with the client browser. The web application may use XMLHttpRequest / AJAX request for various functionality of the application and the request sent to Azure App Service would also contain the AppServiceAuthSession cookie. When this cookie is not present in the request, Azure App Service will redirect the request to Azure AD for login. This redirection causes the AJAX request to become a CORS request since the destination domain changes and Azure AD by default does not allow cross origin request.

Resolution

The Application needs to check for the existence of the AppServiceAuthSession cookie or if the session is still authenticated before sending the AJAX request. If the session is no longer authenticated, reload the entire browser window again and let EasyAuth handles the re-login process again.