Welcome to my blog, stay tunned :
Home | Blogs | Stephane Eyskens's blog

Consuming Azure Hosted Web API from SharePoint Online using JavaScript and Office 365 identities

This blog post was moved to https://stephaneeyskens.wordpress.com/2015/05/18/consuming-azure-hosted-...


Sample code

Dear Sharepoint developers ,could someone please provide a *working* sample sources ?

this looks great bit still not working for me.

Sample scenario I'm trying to achieve :

Sharepoint-hosted app page -> js call web api service hosted on azure with Active directory auth enabled -> retrieve current SP user's ClientContext.

I'm stuck with SP.RequestExecutor as this proxy is not passing auth cookies,
and solution described here simply does not work for some reason.. -
context.Request.Headers[ORIGINHEADER] is allways null and optionsmethod is never called.

thanks in advance!
regards, Volodymyr Fedyk

Doesn't work in Edge

Managed to implement exactly as it's described on the article.
Added a few extras:

type: "GET",
crossDomain: true,
url: serviceUrl,
xhrFields: {
'withCredentials': true
data: {
SPHostUrl: _spPageContextInfo.siteAbsoluteUrl,
SPLanguage: 'en-US',
SPClientTag: '0',
SPProductNumber: '16.0.4907.1219',
SPHostTitle: 'Title'


For some reason, if i dont add the SPLanguage, Productnumber, etc, it won't work at all.
So I got this working for IE, Chrome and FF but NOT Edge.
Tried so many approaches and 0 results for Edge.
Any suggestions?

Some different results, especially with IE

Hi Stephane,

I've implemented the solution you describe in your article, and I'd like to share my results:

With Chrome and Firefox it works,
but I have to say that in my tests that works fine also without the 'iframe trick', and it behaves the same for POST requests.

With IE (11) the CORS doesn't go through, normally with error SEC7127 or SEC7216

Results from Fiddler (still about IE):
I can see the iframe request gets a 302 to the authorization endpoint, which can end up in a successful id_token back, but that's anyway not valid for my Web API, which redirects again to the authorization endpoint, and in a loop..

Adjusting the preflight request with your HttpModule, it goes indeed through; but a GET call to mi API endpoint, due to missing authentication cookie, ends up then in a 302 to the login page which gets blocked
Also in this case I see the OAuth flow is initiated for OpenID (id_token).

My Web site is secured like showed in your article with Azure AD, and there's no other configuration about authentication in Startup class or such.
If I try the flow and accessing my API endpoint straight with my browser, it works as expected.

Do you have some particular security settings, or security zone, where your sites are into?
In my case sites are in the Internet zone of IE, and I used for all three browsers always InPrivate / incognito navigation mode for these tests.

Also, do you really experienced the need of the hidden iframe? As reported, for me with Chrome and Firefox works also without the need of the iframe

Great article ;)


IFRAME & browsers

Hi Massimo,

For me, if I recall correctly, the hidden iframe is only necessary with IE. With IE11 everything works fine too but indeed, the domains are in the trusted zone which has of course an impact on how IE behaves. Without the hidden iframe trick, I keep getting 302 requests for my AJAX queries until I manually open a tab against the remote web site but that's of course not acceptable. That's why I thought of an iframe to force the browser to connect to the remote web transparently.

Best Regards


Hi Stephane,

I thought so :) Having sites in a trusted zone, or with settings that cookies can be share across domains makes it to work in IE.

Unfortunately I can't control or assume any browser settings for my users, so for this reason your solution not an option

At least we've shared some experience, figured out some details, and verified that our results match. I think this is important

I'll describe soon in an article my solution I've built for this problem

Happy coding

Trusted zones

Hi Massimo,

It all depends on your scenario. In my scenario, the enterprise has IE as the Official Browser and zones are configured automatically trough GPOs, so the enterprise controls which URLs to configure in the zone they want.

If you're purely web facing, that can be an issue indeed.

Best Regards

Not able to get cookies

Guys I did exactly as mentioned in the post but somehow my iframe is always generating error like HTTPS security compromised. Also its not able to get the cookie . I am using IE11 and Chrome to test. Is there something I am missing?