Add `Origin` header to OAuth 2.0 flow

This question is related to the problem described in a following StackOverflow question: azure active directory - Getting access tokens from Postman: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests - Stack Overflow.

During OAuth 2.0 “authorization code with PKCE” grant, Azure AD requires Origin header to be present on the request to /token endpoint. If header is not present, authorization flow fails with the following error:

Error: AADSTS9002327: Tokens issued for the ‘Single-Page Application’
client-type may only be redeemed via cross-origin requests

Unfortunately, Postman is not adding this header to the flow, hence the request for a token fails.

Is there a way to add a custom header into the requests that are executed behind “Get new access token” flow? I have tried adding headers to the request that the token is attached to, as well as “pre-request script”. Neither of these methods helped.

2 Likes

Any update on this? This is kind of urgent to test API’s dependent on SPA