Some months ago, I came across an unexpected rare issue when dealing with AJAX calls in a MVC Web App that was making use of OpenID Connect (OIDC) protocol to provide authentication on Azure Active Directory (Azure AD). This MVC Web App was set up to call several Web APIs protected by Azure AD authentication too.

You can find more information about this basic scenario made up of a Web App connecting to a Web API here. More in detail, Web APIs were employed in a simple straightforward way as if they were microservices, but this specific point is only for further information, not related to the main issue.