Added notes regarding CORS configuration for APIs hosted on Azure (SharePoint#1783)

waldekmastykarz · VesaJuvonen · commit bc2ee31d8935 · 2018-05-03T13:26:52.000+03:00
* Added notes regarding CORS configuration for APIs hosted on Azure

* Updated title of the article on using the AadHttpClient
diff --git a/docs/spfx/use-aadhttpclient-enterpriseapi.md b/docs/spfx/use-aadhttpclient-enterpriseapi.md
@@ -183,6 +183,9 @@ On the Azure AD application blade, copy the value of the **Application ID** prop
 
 The Function App will be called from JavaScript running on a SharePoint page. Because the API is hosted on a different ___domain than the SharePoint portal, cross-___domain security constraints will apply to the API call. By default, APIs implemented using Azure Function Apps cannot be called from other domains. You can change this by adjusting the Function App's CORS settings.
 
+> [!IMPORTANT]
+> If you're authenticating with the API using the SharePoint Online cookie instead of OAuth, you cannot configure CORS settings through the Azure Portal. For the authentication to work, you have to clear all CORS settings in the Azure Portal and specify them in your API instead.
+
 In the Function App, switch to the **Platform features** tab.
 
 From the **API** group, select the **CORS** link:
diff --git a/docs/spfx/web-parts/guidance/connect-to-api-secured-with-aad.md b/docs/spfx/web-parts/guidance/connect-to-api-secured-with-aad.md
@@ -324,6 +324,9 @@ Following is how you would use Azure Functions to create an API secured with Azu
 
 Azure Functions are hosted in Azure App Service, which allows you to configure its Cross-Origin Resource Sharing (CORS) settings through the Azure Portal. While this is convenient, if configured through the portal, it cannot be used in combination with the **Access-Control-Allow-Credentials** header, which is required by the API to accept authentication cookies coming from another origin. For the client-side authentication to work correctly, CORS settings of the Azure App Service must be cleared.
 
+> [!IMPORTANT]
+> If you're authenticating with the API using the SharePoint Online cookie you have to clear all CORS settings or the authentication process will fail. If you're however authenticating using OAuth, you can use the Azure Portal, to configure CORS settings for your API.
+
 1. In the Function App, select your Azure Function, and navigate to the **Platform features** blade.
 
     ![The Platform features link highlighted in the Azure Function settings](../../../images/api-aad-platform-features.png)
diff --git a/docs/toc.yml b/docs/toc.yml
@@ -129,7 +129,7 @@
       href: spfx/web-parts/guidance/connect-to-api-secured-with-aad.md
     - name: Call the Microsoft Graph API using OAuth
       href: spfx/web-parts/guidance/call-microsoft-graph-from-your-web-part.md
-    - name: Connect to Azure AD-secured APIs
+    - name: Connect to APIs secured with Azure AD using the AadHttpClient
       href: spfx/use-aadhttpclient.md
       items:
       - name: Consume enterprise APIs (tutorial)
