CORS Issue when added OPENID Active Directory Authentication to Azure App service

Question

we have two App services in Azure in tenant A

(a) Web APP (Angualr) (b) API App (.NET Core)

'Web' App service calls 'API' App service to get data. 'Web' & 'API' app authentication is done by OpenID Active Directory Authentication. When we call the 'API' Service from the browser it works fine, but when we call the 'API' App within 'Web' App we are getting a CORS error

Access to XMLHttpRequest at 'https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?response_type=code&client_id={client-id}&redirect_uri=https%3A%2F%2F{AP%2F.api.azurewebsites.us%2Flogin%2F{auth provider}%2Fcallback&nonce=4&state=redir%3D%252Fapi%252Fbridge&scope=openid+profile+email' (redirected from 'https://api.azurewebsites.us/api/name') from origin 'https://webui.azurewebsites.us' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Have anyone faced any similar issues, can provide some help on this

Answer 1

I think you just need to use an application type / platform of Single Page App rather than Web App, as in step 6 of my blog post.

Azure AD will then add the CORS response headers to pre-flight OPTIONS requests, needed by the SPA.