search

SharePoint / sp-dev-docs

SharePoint & Viva Connections Developer Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/
Creative Commons Attribution 4.0 International
1.24k stars 1.01k forks source link

SPFx webparts not able to acquire token for Graph API in Teams app (Viva Connections) #9099

Closed Vighough closed 1 year ago

Vighough commented 1 year ago

What type of issue is this?

other

What SharePoint development model, framework, SDK or API is this about?

πŸ’₯ SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

Additional environment details

Issue description

We have created an SharePoint intranet site and made it the root site. We then added the site to the Viva Connections integration in Teams, as an app. On this site we have a couple of custom webparts that we created. One of the webparts have been used in many intranet sites and haven't had these problems so far. The problem also isn't occurring on SharePoint itself.

The problem is connecting to the Graph API, the token doesn't seem to be retrieved and thus the API requests are not even send to the Graph API.

The error I'm getting:

Uncaught (in promise) Error: Token request previously failed at new t (chunk.aadTokenProvider_en-us_445a72773ba77a61be93.js:1:1514) at e._getTokenInternal (chunk.aadTokenProvider_en-us_445a72773ba77a61be93.js:1:3567) at e.getToken (chunk.aadTokenProvider_en-us_445a72773ba77a61be93.js:1:2372) at sp-pages-assembly_en-us_c3c628b67d521769ee27f473c0ed9543.js:76:647657

The request that might be the problem:

https://tenant.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%2775aff87b-45bf-41e7-84f3-552901a72ea0%27

Results in an 500 internal server error with the following message:

{ "odata.error": { "code": "-1, System.AggregateException", "message": { "lang": "en-US", "value": "One or more errors occurred." } } }

I found this issue #7884 (https://github.com/SharePoint/sp-dev-docs/issues/7884) which seems to be related to mine or at least gives the same error, but the resolution there doesn't apply here sadly. The manifest is already in the right format and with the correct data. Also cross referenced the manifest with other, working tenants

At this point I have no clue on what the cause of the issue is, could any of you help me with this problem?

ghost commented 1 year ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

heesungjang commented 1 year ago

Our team is facing the same issue that @Vighough encountered. Any assistance would be greatly appreciated.

lucabandMSFT commented 1 year ago

@Vighough , thanks for reaching out.

Can you please explain to me what this means? "We then added the site to the Viva Connections integration in Teams, as an app"?

Vighough commented 1 year ago

Hi @lucabandMSFT,

We are using the Viva Connections integration of the SharePoint intranet site. This allows organisations to have the SharePoint intranet site as an app in Teams, for better usability. You can try this integration by opening a SharePoint site in the Viva Connections app in Teams see (https://support.microsoft.com/en-us/office/access-and-use-the-viva-connections-app-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b)

See: Set up Viva Connections in the Microsoft 365 admin center

lucabandMSFT commented 1 year ago

@Vighough, thanks. This is what confuses me.

Viva Connections (in the link you provided) does not support or even allow to visualize pages with Web Parts. The Viva Connection experience relies on a fixed page (dashboard) that can be extended with specific widget called cards or Adaptive Card Extensions which are specific type of SPFx components.

So I'm wondering where you are seeing the error. Mind provide a description of the flow or a link to a video that shows the behavior please?

thanks.

Vighough commented 1 year ago

Hi @lucabandMSFT,

You are right and to clarify we are not using that dashboard and those widgets (although it is available to the users, it's not to our concern)

We are using the option to add the SharePoint home site to the Viva Connections app. See this specific chapter

I'm seeing this error inside the Viva Connections app, inside Teams, while opening the SharePoint home site or any other site in the Viva Connections app. I cannot share a video of the production environment sadly, but I'll be happy to show you the issue during a short call?

Also, here is a screenshots of how to reach a SharePoint site inside the Viva Connections app. Open any SharePoint site that has custom SPFx webparts that use the Graph API. It is worth mentioning that I cannot reproduce this on other tenants, as I'm not able to find the root cause, so this might work fine in your case. Nevertheless, this should give you some context

image

Many thanks in advance

lucabandMSFT commented 1 year ago

thanks @Vighough,

One last question, would be possible for you to provide a snipped of the SPFx custom code that fails when the page runs on Teams?

c-eiser13 commented 1 year ago

@lucabandMSFT I'm having the same issue, when clicking the link in the upper right of viva connections to go to the home site, I have an SPFx web part on the home site that calls MS Graph, and this web part generates an error attempting to get the token. Viva Connections appears to be an iframe, perhaps that is part of the token acquisition issue? Here is the error I see in the Teams desktop client dev tools

image

Here is my code that is making the graph call:

image

If there is any further info I can provide to help troubleshoot, please let me know. Thanks!

Vighough commented 1 year ago

Hi @lucabandMSFT,

I have this problem with several custom made webparts. To try to isolate the problem, I already tested with a minimal webpart and with this minimal implementation the issue is also occurring. I have made a repository of this webpart, so you can see the full code

I have created a GraphService that is trying to retrieve the /me endpoint which console.logs the name if successfull

Vighough commented 1 year ago

For anyone else having this problem:

We are using this as a temporary fix Add SharePoint site as a App to the Teams - Microsoft Community Hub

It has the same SharePoint intranet stie integration effect as the Viva Connections app, just not the other features that Viva provides

GrahamMcMynn commented 1 year ago

@Vighough - Would it be possible to send a network trace of the call to https://tenant.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken that is failing? If you are able to you can email it to my grahamc @ microsoft.com email account and mention this issue.

GrahamMcMynn commented 1 year ago

Thank you for sending me the trace. The reason that it is failing on this particular tenant is that the 3rd party SPFX application principal has a bad client secret stored. I am not aware of how you got into this state, however, this problem is easy to fix:

  1. Go to portal.azure.com as an AAD admin
  2. Click App Registrations
  3. Search for SharePoint Online Client Extensibility Web Application Principal
  4. Look at "Certificates & secrets" in the left hand nav
  5. Delete the only secret that exists
  6. Wait about 1 minute for the deletion to propagate
  7. Go to SharePoint Tenant Admin
  8. Expand Advanced in the left nav
  9. Click API Access
  10. Let the page load (just leave it open, this will ensure that your app registration is created)
  11. Go back to Certificates & Secrets in the Azure portal and confirm you have a new client secret

Hopefully that fixes your problems.

One thing I would like to understand is how your tenant got into this state. I have not seen an issue where this happens without customer interaction in the azure portal. By any chance were you making changes? Or did this just start happening? If we have a bug on our side that puts a tenancy into this state I would like to make sure we prevent it from affecting you or other customers in the future so any details here would greatly help.

Thanks!

Vighough commented 1 year ago

Hi @GrahamMcMynn,

Thank you for the detailed steps. I've discussed this with the client and we're planning a sessionwith an admin to try this out. I'll let know if this has worked or not!

The tenant is an Education version and it's pretty old as what I've heard. They have had more problems that might be related to that. As far as I know, they haven't done anything with the app registration. Apart of adding some permissions manually, because there is some sort of bug with the API access approval from SharePoint at this point. See my posts on these two forums about this:

MS Forum MS Feedback

heesungjang commented 1 year ago

Hi @Vighough,

Unfortunately, the solution recommended by GrahamMcMynn did not work for us. Did refreshing the app registration resolve the token issue for your client?

Vighough commented 1 year ago

Hi guys,

Yes it has worked for us! I wanted to verify with some colleagues first, but they have verified and it worked! The webparts are now loading correctly in the Viva Connections app

Many thanks @GrahamMcMynn !

ghost commented 1 year ago

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues