Publisher Domain verification: non-standard content-type header is a problem for Node Express and other modern servers RRS feed

  • Question

  • I had previously posted about having trouble getting my domain verified for my app (to allow for OAuth without the "Unverified" stamp). Since then, the docs have been updated to explain that the content-type for the `microsoft-identity-association.json` file must *exactly* match "application/json" and that it cannot match "application/json; charset=utf-8". 

    However, modern servers (like those built on Node Express) often don't even allow the use of the application/json header without the appended charset, because browsers have begun to require it for security purposes and they don't want to give programmers the option of bypassing a security feature.

    So that means that I, and presumably many others, *cannot* satisfy the non-standard exact-match requirement without rather extensive workarounds, despite that requirement not making any sense by today's security standards.

    Now I'm off to find a workaround, but I hope that Microsoft fixes this for future devs.

    Wednesday, September 25, 2019 3:54 PM

All replies

  • For anyone using a Node server, a workaround is to use the res.writeHead() and res.write() functions instead of the higher-level ones. For example:

    const fs = require('fs-extra');
    const sendJsonWithoutCharset = async (req,res)=>{
        const file = await fs.readFile('microsoft.json');

    Wednesday, September 25, 2019 4:06 PM
  • Hi Adam,

    Thanks for sharing your solution! Were you able to get everything working as expected?

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, September 25, 2019 11:29 PM