SPFx in Teams Desktop app returns 403 Unable to retrieve Client Secret #7780
Comments
rvhelden
added
the
type:bug-suspected
|
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible. |
rvhelden
changed the title
rvhelden
changed the title
VesaJuvonen
added
area:spfx
|
Hi @rvhelden - Sorry that you are running into this problem. Did you create this app yourself or did you use sync to teams and have it create automatically? If you created it manually please ensure that you have followed the instructions at https://docs.microsoft.com/en-us/sharepoint/dev/spfx/deployment-spfx-teams-solutions and specifically ensured that you left https://{teamSiteDomain} in the app as per this: If that is already the case could you please send me a trace of what is happening, or at least a time and tenant name so I can investigate your issue? Please feel free to send these to grahamc at microsoft.com if you don't want to post it directly on github. Thanks! |
AJIXuMuK
added
the
Needs: Author Feedback
|
Hi @GrahamMcMynn, Thanks for your quick response. We have our own appId in then 'webApplicationInfo' section for sending teams activity feed messages from our backend as described in https://docs.microsoft.com/en-us/graph/teams-send-activityfeednotifications which rights would be granted with the sharepoint appId? and on what would it be granted? maybe I could manually correct this with the tenant. The weird thing is, this is working for many other customers we serve, so my guess is that this specific customer has somehting configured weirdly to act this way, but could not find anything that would cause this symptom. I have sent an email with a fiddler trace from teams. |
ghost
added
Needs: Attention 👋
|
Hi @rvhelden - the reason this works in "many other customers" is that we have fallback logic in place. We try to log in using a token from teams (this is highly reliable, but has to be setup right by having your resource be https://{teamSiteDomain}). If logging in using that token fails we try to authenticate with a value stored in SharePoint. This will fail for any number of the following reaons:
Since there are all these cases that fail the experience is quite flakey. That is the reason you want your app setup correctly with the correct resource. All that being said, I understand you are trying to use the activity feed. I'm not knowledgeable about that area, but I am going to speak with some folks who are and get back to you. Thanks! |
|
Thank you @GrahamMcMynn for the effort. i'm indeed very curious how those 2 features are supposed to work togather. |
|
Hi @GrahamMcMynn do you have any news from the other team how this should work togather? |
|
Hi @rvhelden - thanks for pinging, I don't have an answer yet, but I am looking into it. |
|
Hi @rvhelden - what is the payload you are using for the notification api? We dont support generic urls We support 2 options for target url -
|
AJIXuMuK
added
Needs: Author Feedback
|
@GrahamMcMynn So we use option 2: Custom url which needs to be Teams deeplink {
"topic": {
"source": "entityUrl",
"value": "https://graph.microsoft.com/v1.0/users/{userId}/teamwork/installedApps/{userAppId}",
"webUrl": "https://teams.microsoft.com/l/entity/{teamsAppId}/{entityId}?context=%7B%22subEntityId%22%3A%20%22https%3A%2F%2Ftenant.sharepoint.com%2Fsites%2Fhome%22%7D"
},
"activityType": "myWorkplaceNewsAdded",
"previewText": {
"content": "my message content"
},
"recipient": {
"@odata.type": "microsoft.graph.aadUserNotificationRecipient",
"userId": "{userId}"
},
"templateParameters": [
{
"newsMessageTitle": "my title"
}
]
}And this are the important bits of our manifest {
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.9/MicrosoftTeams.schema.json",
"staticTabs": [
{
"entityId": "500001",
"name": "Home",
"contentUrl": "https://{teamSiteDomain}/_layouts/15/TeamsLogon.aspx?SPFX=true&dest=https://{teamSiteDomain}/_layouts/15/teamshostedapp.aspx%3Fteams%26personal%26componentId=<Our SPFx ComponentID>%26forceLocale={locale}",
"scopes": [
"personal"
]
}
],
"permissions": [
"identity",
"messageTeamMembers"
],
"webApplicationInfo": {
"id": "----- Our custom app reg ---------",
"resource": "https://{teamSiteDomain}"
},
"activities":
{
"activityTypes": [
{
"type": "myWorkplaceNewsAdded",
"description": "News Added Activity",
"templateText": "{newsMessageTitle}"
}
]
}
}
|
ghost
added
Needs: Attention 👋
|
@GrahamMcMynn Do you have any news from your side? |
|
@rvhelden - sorry for the slow response here. After following up with the activity folks they didn't seem to think there was an incompatibility. Would it be possible to send me a trace of your app failing? If so please send it to grahamc @ microsoft.com. However, I will be out of office next week. Could you also verify one other thing. If you run with the id unchanged from "00000003-0000-0ff1-ce00-000000000000" does the graph call succeed? If it does, what exactly fails in the notification api? |
|
@GrahamMcMynn On march 7 I have send you an fiddle trace, that one has captured exactly the app failing and is still valid. I will try to send an notification when leaving the sharepoint clientId intact and will report back |
|
@GrahamMcMynn any news about this issue ? I have the same only on Teams desktop client. Works fine in Teams web client. |
|
@rvhelden @sosandumsft - sorry for the long delay. |
AJIXuMuK
added
Needs: Author Feedback
ghost
added
the
no-recent-activity
|
This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within the next 7 days of this comment. Please see our wiki for more information: Issue List Labels: Needs Author Feedback & Issue List: No response from the original issue author |
|
Closing issue due to no response from the original author. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: No response from the original issue author |
ghost
locked and limited conversation to collaborators
Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
SharePoint REST API
Developer environment
Windows
What browser(s) / client(s) have you tested
Additional environment details
The teams tab loads the iframe to the sharepoint online environment with the following url
_layouts/15/TeamsLogon.aspx?SPFX=true&dest=https://.sharepoint.com/_layouts/15/teamshostedapp.aspx%3Fteams%26personal%26componentId=%26forceLocale=en-us
Describe the bug / error
When executing a graph call in spfx in this specific sharepoint tenant via the teams desktop app, this will fail with a call to /sites/Branding-home/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%27<principal_id of SPO EC>%27
It receives a 403 status with the following body
{ "odata.error":{ "code":"-2147024891, System.UnauthorizedAccessException", "message":{ "lang":"nl-NL", "value":"Unable to retrieve Client Secret" } } }Steps to reproduce
Expected behavior
To authenticate correctly
The text was updated successfully, but these errors were encountered: