I am trying to configure our Angular SPA + .ASPNET Core API using ADFS (indoor) in order to get rid of Windows authentication. Ultimately, the goal will be:
- Angular SPA β redirects the user to ADFS and gets id_token back
- Angular SPA -> Uses this token to call the API
- Angular SPA β from time to time updates the token
Angular SPA and API are correctly configured in ADFS. I am using angular-oauth2-oidc to set up a spa.
The problem is this: when I boot up the SPA, I get a CORS error when the SPA tries to reach the OpenId Discovery endpoint ( .well-known/openid-configuration ). Therefore, I canβt even redirect the user to ADFS. Nothing works.
I looked a lot on the Internet and found many other people saying that ADFS does not support CORS. Seems strange. Microsoft claims that they support Single Page Applications , so you are more or less assuming ADFS will receive CORS requests.
Has anyone else encountered this problem? Seriously, did Microsoft implement this and not create a way to resolve CORS requests?
Edit: I also tried to create a wrapper around adal.js. I managed to redirect the user to ADFS, log in and get id_token. The problem is that sts returns an aud request for the spa in the token, and not for the api. When SPA uses a token to invoke the API, it, as expected, fails. Looks like I'm at a dead end.
source share