Closed MarksPoint closed 2 years ago
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
Hi @MarksPoint - Can you verify that the manifest you are using you have NOT modified the value here: "webApplicationInfo": { "id": "00000003-0000-0ff1-ce00-000000000000", "resource": "https://{teamSiteDomain}" }
ie you have left https://{teamSiteDomain} untouched and did NOT modify it to be the url of your tenant
That error is a known issue if you were to actually resolve that value in your app. Please confirm that you have not done this.
Hi @GrahamMcMynn , I confirm that I did NOT change that value in the manifest and left it UNTOUCHED. It's exactly as it was pasted here in my OP (and in the attached zip package as well). So, it says:
"webApplicationInfo": {
"id": "00000003-0000-0ff1-ce00-000000000000",
"resource": "https://{teamSiteDomain}"
}
Thanks for confirming that, I'll try to dig into this and figure out what is going wrong.
@MarksPoint - Would it be possible to send me a trace of the request failing? If that is possible could you send it to grahamc at microsoft.com?
@GrahamMcMynn , I've sent you two HAR-files. One recorded during a failed attempt, one during a successful attempt.
@MarksPoint - in your tab URL you added the query string ?app=portals. Why are you doing that? It is unsupported. It makes the code think you are our first party app. However, you are NOT running as our first party app and therefore the code fails to get tokens correctly. You must remove that query string.
@GrahamMcMynn - We've added this because from what we've understood, this is the way to make sure we get the SharePoint navigation working in Teams. If we remove ?app=portals, only the page itself is loaded but all navigation is hidden.
Is there another way to get the navigation working?
For your info: using the 1st party Viva Connections app isn't feasible for our clients, because the experience on mobile devices is so much different from what they see on the desktop: The 'native' Dashboard and News tabs are forced on mobile instead of the actual homepage (including our custom solution they expect).
@GrahamMcMynn - I would like to add to the discussion about whether this is supported or not that this exception also occurs in all the Viva Connections packages that were created with Microsoft's own PowerShell script: https://www.microsoft.com/en-us/download/confirmation.aspx?id=102888
And here a colleague of yours explains what's typical in these Teams packages that are created using the PowerShell script, including the fact that "?app=portals" is part of the content url: https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/the-home-site-app-for-microsoft-teams/bc-p/2258116/highlight/true#M5698
I can't stress enough how urgent this issue is for us (and possibly for other vendors as well) because customers who used this PowerShell script to generate their Home Site/Viva Connections Teams package this way, now see errors when they use the Teams desktop client with their SharePoint intranet together with any 3rd party web part trying to connect to an Azure AD secured API.
I'd like to add to this that, according to our logs, this exception occured first at March 4th. Before this, everything worked fine with these Teams packages.
@MarksPoint - we will be rolling out a fix for this that will make 3rd party authentication work even if you have the app=portals in the query string. It will unfortunately not be in production until approximately April 13th (that is due to our rollout cadence).
You are correct, this was a regression as we did not expect customers to be using app=portals in the query string (and I read the comment from somebody at msft suggesting that). We are making this change realizing customers are using app=portals and we will support that going forward.
@MarksPoint - Please let me know if this issue has been resolved for you.
Hi @GrahamMcMynn , we're still seeing this issue at the moment. Is the solution rolled out to all tenants already?
Below a chart of the number of times we logged the issue. (the amount is smaller after March 28th when we rolled out a new version of our solution with a change in how we handle this specific issue)
The last occurence was 1,5 hours ago around 8PM CET.
@GrahamMcMynn - Good news: We haven't seen the issue since that last one yesterday evening around 8PM! We'll keep monitoring the tenants of course, but it looks promising and today we're very happy (and so are our customers!). Thanks for your assistance in this. I'll close this issue tomorrow afternoon if it's still looking good.
@MarksPoint - thanks for following up!
Closing the issue as we no longer see it occur on our end!
Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues
Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Developer environment
macOS
What browser(s) / client(s) have you tested
Additional environment details
The issue occurs in the Teams Desktop application, Version 1.5.00.6270 on MacOS (but issue also seen on Windows 11 machine).
Describe the bug / error
We get the following error when we try to access the Graph API:
Error: "AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://`TENANT`.sharepoint.com' and the expected audience is '
APPID
' or one of the Application Uris of this application with App ID 'APPID
'(SharePoint Online Client Extensibility Web Application Principal). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace ID: ac9a997a-26ac-4319-8ea7-2ccf70f82900\r\nCorrelation ID: f4d0700d-c41d-49cd-aba4-3fac0d226a6b\r\nTimestamp: 2022-03-17 09:10:36Z"where
TENANT
is our tenant name andAPPID
is the Application (client) ID of the SharePoint Online Client Extensibility Web Application Principal app registration.It happens only in this specific situation:
SITEPATH
is the path to the homesite of our SharePoint tenant, in our case '/sites/develop'. (Note that we've got Viva Connections 'activated' and this is the designated homesite.Note that is doesn't give this error in the Teams mobile client (tested on iOS, version 4.4.0), nor does it give the error in the Teams website client (tested in Chrome). It only shows this behavior in the Teams Desktop client.
Steps to reproduce
Part 1: The SPFx solution with the web part
To make it reproducable, I've created a new SPFx solution, version 1.14, using the Yeoman generator.
Attached you'll find the packaged solution teams-authentication-issue.sppkg.zip as well as the SPFx solution source code.zip
You can also build a new solution yourself. The steps are simple:
Yeoman generator Use the Yeoman generator to make a new SPFx 1.14 solution, include a Web Part, no React is necessary for this
Install the pnp graph dependency npm install @pnp/graph@2
add required permission scope to package-solution.json
update the WebPart code (HelloWorldWebPart.ts in my case)
Part 2: Installing package & adding web part to page
Part 3: The Teams package
Either use attached TeamsPackage.zip or make one yourself using the following manifest.json:
Part 4: install the Teams package
You should be automatically navigated to the app. This is where it fails! It looks something like this:
If you switch to the Files tab and then back to the app, you'll see that it now works fine:
Note: Closing the Teams app and re-opening will trigger the error (once) again.
Using the browser, it works correctly all the time:![image](https://user-images.githubusercontent.com/16799069/158794669-8eafd79b-091f-4d2c-ab08-0c9d75f92e5b.png)
Also, using Teams mobile it works fine all the time:
Expected behavior
Obviously, we don't want to get the error. Instead, we want it to always work correctly in all scenarios.