Add `Origin` header to OAuth 2.0 flow

This question is related to the problem described in a following StackOverflow question: azure active directory - Getting access tokens from Postman: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests - Stack Overflow.

During OAuth 2.0 “authorization code with PKCE” grant, Azure AD requires Origin header to be present on the request to /token endpoint. If header is not present, authorization flow fails with the following error:

Error: AADSTS9002327: Tokens issued for the ‘Single-Page Application’
client-type may only be redeemed via cross-origin requests

Unfortunately, Postman is not adding this header to the flow, hence the request for a token fails.

Is there a way to add a custom header into the requests that are executed behind “Get new access token” flow? I have tried adding headers to the request that the token is attached to, as well as “pre-request script”. Neither of these methods helped.


Any update on this? This is kind of urgent to test API’s dependent on SPA

Having the same issue, since Microsoft forced PKCE now. Postman is no longer an option for our tests now

Same issue here … please add some feature that we can add header information in the Authorization flow.

Surely if you use sendRequest() in a pre-request script, then you are in full control of what headers are sent.

This doesn’t work for PKCE. PKCE is a client-based flow which involves the use of a browser and redirects.