SPFX using AadHttpClient to access AAD secured endpoint not working on Teams Tab

[Ashish1662]

Category

• [x] Question
• [ ] Typo
• [x] Bug
• [ ] Additional article idea

We are using a SPFX client webpart using v1.8.1 and have successfully consumed an AAD protected endpoint. We have used AadHttpClient to take care of token acquisition which works pretty well in a SP web page.

However, when adding the WP as teams tab, it loads infinitely and does not show anything. Is this a known issue or am we are missing something. If it know what could be the possible workarounds.

Also the teams dev tools console is not showing any detailed information/error to debug or to start the RCA.

Thanks in advance.

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[andrewconnell]

Are you seeing this in the Teams web client / native client?

If web, which browser?

Have you tried it using SPFx v1.8.2 as it contained a fix for the teamsContext... not sure if it's related or if something else was addressed in 1.8.2 that's related to this...

[Ashish1662]

It works fine for the web browsers. The issue is when using teams native client (both desktop & mobile).

I have tried it with latest version i.e. 1.8.2 but the issue is with this version too.

[beschick]

It is reproducable. If you fetch an AAD protected endpoint (e.g. Az web app or Az function) in an SPfx web part (1.8.1 and 1.8.2) the authentication process with AadHttpClient ....

• ... works fine with Teams Online (SPfx component as tab, SharePoint tab).
• ... works fine with SPO (SPfx webpart in SPO page).
• ... FAILS in Teams CLIENT. Even if you embed the SharePoint tab to MS teams client, the authentication for these web parts fails as well. Looks like there are two different mechanism for authentication in place.

Means the idea and the really cool thing about using the same SPfx component in both SPO world as well as MS teams world, is actually not executable. I would also appreciate if that issue makes it into approved backlog as it has impact on architectural designs for future solutions. Using unauthenticated endpoints delivering enteprise data is not an option, actually.

Someone else able to re-produce?

[lucabandMSFT]

hey @beschick , that is unfortunately by design for now. While we are releasing code to fix it you can use the following workaround to make it work on Teams rich client: Note: you have to be Global Tenant Administrator to perform all the steps below Step 1. Visit the "Manage Permissions" Page in SharePoint Tenant Admin Step 2. Go to -> https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview Step 3. Click on "SharePoint Online Client Extensibility" Web Application Principal Step 4. Click Manifest on the left menu Step 5. Copy the id from the oAuth2Permission array "oauth2Permissions": [ { "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.", "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal", "id": "2143704b-186b-4210-b555-d03aa61823cf", "isEnabled": true, "lang": null, "origin": "Application", "type": "User", "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.", "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal", "value": "user_impersonation" } ], Step 6. Replace “preAuthorizedApplications” entry with the following json "preAuthorizedApplications": [ { "appId": "00000003-0000-0ff1-ce00-000000000000", "permissionIds": [ "2143704b-186b-4210-b555-d03aa61823cf" ] } ], Step 7. Hit Save.

We will provide official documentation on that workaround as well. Please let us know if that unblocks you.

[andrewconnell]

@lucabandMSFT will this same process work with the SharePoint Mobile app? Seems related to #4073

[lucabandMSFT]

@andrewconnell : you are 100% correct.

[Ashish1662]

Hi @lucabandMSFT, we did try this workaround, but unfortunately it does not work. We know it takes few hours to reflect the changes but the results were same when we checked next morning.

The 'preAuthorizedApplications' was missing in the manifest hence we added it and replaced the 'permissionIds' with the correct value as mentioned in the post.

However, we were not sure what value should be specified for 'appId'. Should it be the id of the app having the endpoints or the SharePoint client extensibility app? We specified the SP client extensibility app id.

[chjohan]

Can confirm that the workaround didn't work for us either. We tested the workaround with the Sharepoint App though, and not the Teams client.

[lucabandMSFT]

hey @chjohan, if the application is working on the browser but not in the rich clients than it looks like you are hitting the issue discussed here #3923. Please try again at the end of this week and the issue should be then resolved.

@Ashish1662, mind to share the manifest here?

[Ashish1662]

Highlighted the ids in red line what we replaced.

After making this change, we waited for around 20 hours and endpoints still don't work in teams client.

[luismanez]

Not sure if this is gonna help, but I hit same issue 2-3 months ago, and it was because you needed to enable Dev Preview setting in Teams App. Apparently the aadHttpClient is still in preview (and that could be wrong as my experience was some 2-3 months ago). It worth a try and is easy to test.

[Ashish1662]

@luismanez I checked but same result. It still throws error. Thanks for sharing your experience though.

[lucabandMSFT]

@Ashish1662, no: it should be the appID of the client extensibility app principal

[msft-github-bot]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within next 7 days of this comment. Thank you for your contributions to SharePoint Developer activities.

[BigEaseGueldi]

Commenting here as this shouldn't be closed automatically. This bug currently blocks some interesting scenarios...

[andrewconnell]

Correct... that was done automatically by a bot due to the presence of the Needs: Author Feedback label. Fixed...

[lucabandMSFT]

Well, but the issue is currently unactionable as there's no updates after my latest ask so.. what's the meaning of keeping this open at this point?

[andrewconnell]

Arg... you're right. My bad... added the label back, but the issue shouldn't get closed as it's an open issue that's being tracked.

[BigEaseGueldi]

Hi @lucabandMSFT! I guess that depends on how you use GitHub. Speaking just for me the procedure was:

• Struggle with your Web Part in a Teams tab as is uses AAD-secured Azure Functions
• Find out that it works in the browser
• Go to https://github.com/SharePoint/sp-dev-docs/issues
• Find this issue by searching "AadHttpClient" directly, because it's an open one...

And of course it depends on how you understand the status "closed". I was commenting because the bot told me the issue would be closed tomorrow because of inactivity. I somehow connected "closed" with "solved" - and well - it's not solved.

Some of our Azure Functions will do a certificate-secured call to the MS Graph. And they can do things like deleting users, creating tons of MS Teams, .... Having these functions exposed more or less unsecured is ... an open issue ;-)

[lucabandMSFT]

we do use issues in two ways:

1. to track engagements exchange ideas and discuss topics around members in this community
2. as signals of issues that we (product group) need to work on.

my comment was specifically for #2 above. right now I've nothing actionable that is a bug or an issue in the framework. If there's is, I would like to understand what is the current issue (and I realize there have been multiple conversations under this issue).

if there's not, it is totally fine to keep this issue open but it needs to be marked as "community handled" or something similar.

makes sense?

[Ashish1662]

Hi @lucabandMSFT, using the appID of the client extensible app principal also did not work. Could you suggest what we might be missing?

[andrewconnell]

@BigEaseGueldi I think the confusion is how you're interpreting closed. A closed issue, at least how it's used in this repo, is the issue is marked as resolved. While you may disagree that it's not solved, it's by design.

The OP reported what they thought was a bug, but as @lucabandMSFT mentioned in his comment, it's by design. He provided a workaround solution as said MSFT was looking to make this easier, but it's by design today. That effectively closes the issue.

[andrewconnell]

@Ashish1662 can you please provide the complete manifest of your app?

[Ashish1662]

@andrewconnell please find the downloaded copy of "SharePoint Online Client Extensibility Web Application Principal" manifest.

{
    "id": "3127fdd7-e333-4010-b318-b043b2a53403",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": null,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "0ba98fce-f530-4e1d-b127-1c8ece275042",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2018-11-07T20:16:52Z",
    "groupMembershipClaims": null,
    "identifierUris": [
        "https://microsoft.spfx3rdparty.com"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "SharePoint Online Client Extensibility Web Application Principal",
    "oauth2AllowIdTokenImplicitFlow": true,
    "oauth2AllowImplicitFlow": true,
    "oauth2Permissions": [
        {
            "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "id": "3ccc8f19-5756-40f9-bf47-64a5afb5ba7a",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.",
            "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "value": "user_impersonation"
        }
    ],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": "====================",
            "endDate": "2069-05-03T12:58:49.9770288Z",
            "keyId": "8a3c15e3-d356-4920-af86-09eb55e8565b",
            "startDate": "2019-05-03T12:58:49.9770288Z",
            "value": null,
            "createdOn": null,
            "hint": null,
            "displayName": null
        }
    ],
    "preAuthorizedApplications": [
        {
            "appId": "0ba98fce-f530-4e1d-b127-1c8ece275042",
            "permissionIds": [
                "3ccc8f19-5756-40f9-bf47-64a5afb5ba7a"
            ]
        }
    ],
    "publisherDomain": null,
    "replyUrlsWithType": [
        {
            "url": "https://xxx.sharepoint.com/",
            "type": "Web"
        },
        {
            "url": "https://xxx.sharepoint.com/_forms/singlesignon.aspx",
            "type": "Web"
        },
        {
            "url": "https://xxx.sharepoint.com/_forms/singlesignon.aspx?redirect",
            "type": "Web"
        },
        {
            "url": "https://xxx.sharepoint.com/_forms/spfxsinglesignon.aspx",
            "type": "Web"
        },
        {
            "url": "https://xxx.sharepoint.com/_forms/spfxsinglesignon.aspx?redirect",
            "type": "Web"
        },
        {
            "url": "https://xxx-admin.sharepoint.com/_forms/spfxsinglesignon.aspx",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}

[andrewconnell]

@Ashish1662 Nothing provided... please update your last post with the CONTENTS of the file (please don't attach to the issue).

[lucabandMSFT]

@lahuey , can you please have a quick look here? Manifest looks right.. I wonder if the cert is missing.

[ghost]

The app id in the PreAuthorization section is wrong. It should look like this ->

"preAuthorizedApplications": [
    {
        "appId": "00000003-0000-0ff1-ce00-000000000000",
        "permissionIds": [
            "3ccc8f19-5756-40f9-bf47-64a5afb5ba7a"
        ]
    }
],

Things should work within a minute of updating the manifest. This process will be automated within the next week or so.

[Ashish1662]

Hi All,

Changing the appId to "00000003-0000-0ff1-ce00-000000000000" works...

Thank you for your support !!

Closing the issue now :)

[matsla]

Hi @lucabandMSFT, Is this workaround to update preAuthorizedApplications section in manifest for "SharePoint Online Client Extensibility Web Application Principal" fully supported from MS?

We have done this workaround for some customers and it works without any issues, but when will this workaround be corrected?

[msft-github-bot]

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues