SPFx in Teams Desktop app returns 403 Unable to retrieve Client Secret

[rvhelden]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

SharePoint REST API

Developer environment

Windows

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• SPFX 1.13.1

The teams tab loads the iframe to the sharepoint online environment with the following url
_layouts/15/TeamsLogon.aspx?SPFX=true&dest=https://.sharepoint.com/_layouts/15/teamshostedapp.aspx%3Fteams%26personal%26componentId=%26forceLocale=en-us

Describe the bug / error

When executing a graph call in spfx in this specific sharepoint tenant via the teams desktop app, this will fail with a call to /sites/Branding-home/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%27<principal_id of SPO EC>%27

It receives a 403 status with the following body

{
   "odata.error":{
      "code":"-2147024891, System.UnauthorizedAccessException",
      "message":{
         "lang":"nl-NL",
         "value":"Unable to retrieve Client Secret"
      }
   }
}

Steps to reproduce

1. Open Teams app
2. Navigate to tab pointing to sharepoint online environment
3. All calls to graph fail

Expected behavior

To authenticate correctly

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[GrahamMcMynn]

Hi @rvhelden - Sorry that you are running into this problem. Did you create this app yourself or did you use sync to teams and have it create automatically? If you created it manually please ensure that you have followed the instructions at https://docs.microsoft.com/en-us/sharepoint/dev/spfx/deployment-spfx-teams-solutions and specifically ensured that you left https://{teamSiteDomain} in the app as per this:

If that is already the case could you please send me a trace of what is happening, or at least a time and tenant name so I can investigate your issue? Please feel free to send these to grahamc at microsoft.com if you don't want to post it directly on github.

Thanks!

[rvhelden]

Hi @GrahamMcMynn,

Thanks for your quick response.

We have our own appId in then 'webApplicationInfo' section for sending teams activity feed messages from our backend as described in https://docs.microsoft.com/en-us/graph/teams-send-activityfeednotifications

which rights would be granted with the sharepoint appId? and on what would it be granted? maybe I could manually correct this with the tenant.

The weird thing is, this is working for many other customers we serve, so my guess is that this specific customer has somehting configured weirdly to act this way, but could not find anything that would cause this symptom.

I have sent an email with a fiddler trace from teams.

[GrahamMcMynn]

Hi @rvhelden - the reason this works in "many other customers" is that we have fallback logic in place. We try to log in using a token from teams (this is highly reliable, but has to be setup right by having your resource be https://{teamSiteDomain}). If logging in using that token fails we try to authenticate with a value stored in SharePoint. This will fail for any number of the following reaons:

• user has never logged into SharePoint (we obviously didn't store anything)
• conditional access is turned on
• user password has changed
• token stored in SharePoint has expired

Since there are all these cases that fail the experience is quite flakey. That is the reason you want your app setup correctly with the correct resource.

All that being said, I understand you are trying to use the activity feed. I'm not knowledgeable about that area, but I am going to speak with some folks who are and get back to you.

Thanks!

[rvhelden]

Thank you @GrahamMcMynn for the effort. i'm indeed very curious how those 2 features are supposed to work togather.

[rvhelden]

Hi @GrahamMcMynn do you have any news from the other team how this should work togather?