Azure B2C for Angular 8 app with angular-auth-oidc-client – b2clogin endpoint POST CORS error


I used Damien Bod’s angular-auth-oidc-client in my angular 8 app with “new” Azure B2C endpoints:

  • https://{tenant}{tenant}
  • https://{tenant}{tenant}

And STS Server looks like this:

  • https://{tenant}{tenant}/B2C_1_SuSi_v2/oauth2/v2.0/

But the problem is the oidc lib makes a POST request to https://{tenant}{tenant}

and I get CORS error:

Access to XMLHttpRequest at ‘https://{tenant}{tenant}’ from origin ‘‘ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

What am I doing wrong here? This is Code Flow with PKCE.

here’s the core for my App.module.ts:

export function loadConfig(oidcConfigService: OidcConfigService, httpClient: HttpClient) {
  if (!environment.production) {
    console.log("APP_INITIALIZER STARTING");

  return () =>
        switchMap((config: OidcConfig) => of(config)),
        tap(config => {
          oidcConfig = config;
          config =>
      .then(wellKnownUri => oidcConfigService.load_using_custom_stsServer(wellKnownUri));

export class AppModule {
    private oidcSecurityService: OidcSecurityService,
    private oidcConfigService: OidcConfigService
  ) {
    this.oidcConfigService.onConfigurationLoaded.subscribe((configResult: ConfigResult) => {
      // Use the configResult to set the configurations

      const config: OpenIdConfiguration = {
        stsServer: configResult.customConfig.stsServer,
        redirect_url: oidcConfig.redirect_url,
        client_id: oidcConfig.client_id,
        scope: oidcConfig.scope, // "code",
        response_type: oidcConfig.response_type,
        post_logout_redirect_uri: oidcConfig.post_logout_redirect_uri,
        silent_renew: true,
        silent_renew_url: "/silent-renew.html",
        post_login_route: oidcConfig.post_login_route,
        forbidden_route: oidcConfig.forbidden_route,
        unauthorized_route: oidcConfig.unauthorized_route,
        auto_userinfo: oidcConfig.auto_userinfo,
        log_console_debug_active: !environment.production
        // all other properties you want to set

      this.oidcSecurityService.setupModule(config, configResult.authWellknownEndpoints);
    if (!environment.production) {
      console.log("APP STARTING");



This is not true for quite some time now – Damien Bod’s angular-auth-oidc-client does work with Azure AD B2C with PKCE. Look for his article in the Internet, it describes every step.

I’ve been successfully using it for about a year now.

ok, so I found out (the hard way) Code Flow with PKCE simply doesn’t work with SPA!

But implicit flow DOES work!

I’m pretty sure it’s Azure B2C problem because of all those CORS errors.

But I’m not an expert in these things. If anyone has a working sample with Code flow PKCE agains Azure B2C, please share it!

Answered By – alvipeo

Answer Checked By – Willingham (AngularFixing Volunteer)

Leave a Reply

Your email address will not be published.