I’m trying to go through an OAuth implicit flow to get an access token from Azure AAD. When I redirect to login.microsoftonline.com I get the following error.
403 Forbidden, domain or scheme is not allowed: login.microsoftonline.com
I have added login.microsoftonline.com to my “Domain allow list”, but that doesn’t appear to do anything. Is there a way around this? Do I have to re-initialize the app somehow so the domain allow list takes hold? It’s unclear from the error where the problem is coming from or how to fix it.
Zoom Apps are (by far) the hardest of the main meeting providers to implement due to your OWASP requirements. Having to whitelist everything is a massive headache and prone to error/omission.
Hi @dmyers, thanks for the feedback, I’m sorry to hear this is difficult. We’re discussing this use case across a few teams and are not sure we directly intend support for. Because we commonly see third party OAuth providers block authorization requests from our embedded browser, we suggest handling these token requests outside of the client.
To answer your questions, you shouldn’t need to re-initialize/regenerate anything after adding/changing allowed domains to that list. The development client ID should update immediately when saved (automatically).
We hear you that the granularity here is onerous and are working to make this smoother where we can given requirements.