[GH-ISSUE #4277] [bug]: Microsoft AAD Entra-ID implicit token flow -Origin header changed by using CORS-Plugin #1554

New issue

Open

opened 2026-03-16 20:49:14 +03:00 by kerem · 1 comment

kerem commented

2026-03-16 20:49:14 +03:00

Owner

Originally created by @HolgerBearBaer on GitHub (Aug 19, 2024).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/4277

Is there an existing issue for this?

I have searched the existing issues

Current behavior

We would like to use Microsoft EntraID OAuth for a request. For this we need the CORS plugin, but we always get a "Bad Request" error when we try to get an OAuth token.

We would like to use the implicit grant flow for AAD-registered apps (https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps) - especially the section "acquire-access-tokens-silently" (https://learn.microsoft.com/de-de/entra/identity-platform/v2-oauth2-implicit-grant-flow?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps#acquire-access-tokens-silently). The request should call a user token from an already authenticated session from Hoppscotch GUI via CORS Plugin (implicit authentication).

If the access token endpoint is called, Microsoft checks that the Origin header is specified accordingly in the app registration. Unfortunately, either Hoppscotch or the Hoppscotch-CORS plugin replaces the Origin header given in the request with the Chrome extension ID (chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld). Since Microsoft (EntraID) does not allow a chrome-extension to be set as a source in the application, this poses a problem because Entra-ID does not accept the Hoppscotch plugin Chrome-Extension-ID as a SinglePageApplication and therefore produces the following error message:

{
  "error": "invalid_request",
  "error_description": "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld'. Trace ID: <Trace-UUID> Correlation ID: <Correlation-UUID> Timestamp: 2024-08-19 08:40:23Z",
  "error_codes": [
    9002326
  ],
  "timestamp": "2024-08-19 08:40:23Z",
  "trace_id": "<Trace-UUID>",
  "correlation_id": "<Correlation-UUID>",
  "error_uri": "https://login.microsoftonline.com/error?code=9002326"
}

Steps to reproduce

Expected behaviour:

Hoppscotch and the Hoppscotch-CORS plugin respects a Origin header specification in the request and do not simply change it while request flow.

Environment

Production

Version

Self-hosted

Originally created by @HolgerBearBaer on GitHub (Aug 19, 2024). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/4277 ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current behavior We would like to use Microsoft EntraID OAuth for a request. For this we need the CORS plugin, but we always get a "Bad Request" error when we try to get an OAuth token. We would like to use the implicit grant flow for AAD-registered apps (https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps) - especially the section "acquire-access-tokens-silently" (https://learn.microsoft.com/de-de/entra/identity-platform/v2-oauth2-implicit-grant-flow?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps#acquire-access-tokens-silently). The request should call a user token from an already authenticated session from Hoppscotch GUI via CORS Plugin (implicit authentication). If the access token endpoint is called, Microsoft checks that the Origin header is specified accordingly in the app registration. Unfortunately, either Hoppscotch or the Hoppscotch-CORS plugin replaces the Origin header given in the request with the Chrome extension ID (chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld). Since Microsoft (EntraID) does not allow a chrome-extension to be set as a source in the application, this poses a problem because Entra-ID does not accept the Hoppscotch plugin Chrome-Extension-ID as a SinglePageApplication and therefore produces the following error message: ``` { "error": "invalid_request", "error_description": "AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'chrome-extension://amknoiejhlmhancpahfcfcfhllgkpbld'. Trace ID: <Trace-UUID> Correlation ID: <Correlation-UUID> Timestamp: 2024-08-19 08:40:23Z", "error_codes": [ 9002326 ], "timestamp": "2024-08-19 08:40:23Z", "trace_id": "<Trace-UUID>", "correlation_id": "<Correlation-UUID>", "error_uri": "https://login.microsoftonline.com/error?code=9002326" } ``` ### Steps to reproduce Expected behaviour: Hoppscotch and the Hoppscotch-CORS plugin respects a Origin header specification in the request and do not simply change it while request flow. ### Environment Production ### Version Self-hosted

kerem added the

bug

need testing

labels

2026-03-16 20:49:14 +03:00

kerem commented

2026-03-16 20:49:25 +03:00

Author

Owner

@MightyGoldenJA commented on GitHub (Sep 10, 2024):

We can also reproduce it using the plugin with a self-hosted deployment when trying to to access https://login.microsoftonline.com/<ID>/oauth2/v2.0/token.

@MightyGoldenJA commented on GitHub (Sep 10, 2024): We can also reproduce it using the plugin with a self-hosted deployment when trying to to access `https://login.microsoftonline.com/<ID>/oauth2/v2.0/token`.

kerem referenced this issue

2026-03-17 01:00:42 +03:00

[PR #1554] [MERGED] Show sub-folders first instead of requests #3395