AadTokenProvider getToken - reload/refresh Page in SPFX

[necik11]

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [X] 💥 Microsoft Edge
• [X] 💥 Google Chrome
• [X] 💥 FireFox
• [ ] 💥 Safari
• [X] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [ ] not applicable
• [ ] other (enter in the "Additional environment details" area below)

Additional environment details

• browser latest version
• SPFx 3.20.1
• Node.js 18.18.2

Issue description

The problem is when I use this code:

var tokenId = 'https://graph.microsoft.com'
let provider = this.context.aadTokenProviderFactory.getTokenProvider();
let token = (await provider).getToken(tokenId);

using this library: @microsoft/sp-http The page is fully reloaded.

I did try Microsoft Edge, Google Chrome, FireFox and Safari on iOS. Only Microsoft Edge works properly, all other browsers refresh/reload the page.

Full additional information a provided here: #2918

I will be happy for any advice or insight.

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[kbeeveer46]

https://github.com/SharePoint/sp-dev-docs/issues/9301

[rastawarez]

I have same problem I am using Linux chrome and page is reloaded on call

await provider.getToken(...

provider object seems be set up correct

[RoelVB]

This is a very annoying issue which also seems to affect SPFx applications loaded inside Teams in a worse way. Because in Teams it doesn't refresh it just fails. While @necik11 didn't observe de refreshes in Edge, we've do have reports of this happening in Edge.

NOTE: The SharePoint and Teams issue might be unrelated, but we've seen them starting to appear around the same time

We mostly see this error appear in Teams: AADSTS70043: The refresh token has expired or is invalid due to sign-in frequency checks by conditional access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time} In this case, deleting the cookie named SPOIDCRL fixes the issue. The issue only appears in Teams every once in a while. Unfortunately I didn't think about creating an export of the network requests when I dove into this.

Using DevTools in SharePoint we constantly see a request to https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token that fails. The request contains:

client_id: 08e18876-6177-487e-b8b5-cf950c1e598c
scope: 979b53b7-96d3-4754-bc75-fa1f7610270b/.default openid profile offline_access
grant_type: refresh_token
client_info: 1
x-client-SKU: msal.js.browser
x-client-VER: 3.7.1
x-ms-lib-capability: retry-after, h429
x-client-current-telemetry: 5|61,0,,,|,
x-client-last-telemetry: 5|1|61,8a2dbb5d-5bfc-4a1c-8801-db90dfe18232|consent_required|1,0
client-request-id: 1fbde3c0-e122-400e-baed-23227c5aa9d5
refresh_token: <snip>
X-AnchorMailbox: Oid:b6f8d36b-b48a-40cf-b90a-fde3127713f3@7dfa9a2c-778f-4a67-a93c-e58cd4bcf5d3

The reponse:

{
    "error": "invalid_grant",
    "error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '08e18876-6177-487e-b8b5-cf950c1e598c' named 'SharePoint Online Web Client Extensibility'. Send an interactive authorization request for this user and resource. Trace ID: 23e3fb1f-2242-4d73-a848-c8f16c8a1001 Correlation ID: 9273ee63-e79c-4fa3-be85-8ccd7e04be6b Timestamp: 2024-03-28 13:15:08Z",
    "error_codes": [
        65001
    ],
    "timestamp": "2024-03-28 13:15:08Z",
    "trace_id": "23e3fb1f-2242-4d73-a848-c8f16c8a1001",
    "correlation_id": "9273ee63-e79c-4fa3-be85-8ccd7e04be6b",
    "suberror": "consent_required"
}

This refresh redirects the browser to https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize?client_id=08e18876-6177-487e-b8b5-cf950c1e598c&scope=979b53b7-96d3-4754-bc75-fa1f7610270b%2F.default%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2F<tenantname>.sharepoint.com%2F_forms%2Fspfxsinglesignon.aspx&client-request-id=0c84d438-ecf1-451b-8e0a-9d8491d60dab&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=3.7.1&client_info=1&code_challenge=ewVk9a0-Us1JpkPhuSPImvdV89tL1vxeQbQ-AztMyUw&code_challenge_method=S256&nonce=e403d931-5675-4a85-8695-605609f6ed31&state=<snip> The request body is very familiar to the one mentioned above:

client_id: 08e18876-6177-487e-b8b5-cf950c1e598c
scope: 979b53b7-96d3-4754-bc75-fa1f7610270b/.default openid profile offline_access
redirect_uri: https://<tenantname>.sharepoint.com/_forms/spfxsinglesignon.aspx
client-request-id: 0c84d438-ecf1-451b-8e0a-9d8491d60dab
response_mode: fragment
response_type: code
x-client-SKU: msal.js.browser
x-client-VER: 3.7.1
client_info: 1
code_challenge: <snip>
code_challenge_method: S256
nonce: e403d931-5675-4a85-8695-605609f6ed31
state: <snip>

It doesn't ask for consent it just immediately redirects us back to SharePoint, but in our case the exact same thing happens again. The request to /oauth2/v2.0/token is never successful!

Normally we could give consent for the application 08e18876-6177-487e-b8b5-cf950c1e598c/SharePoint Online Web Client Extensibility, but this is not something available in our Entra ID.

@VesaJuvonen If there's something I can do or check please let me know. I'd be happy to help.

[RoelVB]

This is an extremely annoying issue. I just did some debugging on Teams (new).

1. It sends a request to https://tenant.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%275b4f4178-c479-4093-9bd4-5910567296ad%27&clientId=%2708e18876-6177-487e-b8b5-cf950c1e598c%27. Which fails with HTTP 401 and the message "Exception of type 'Microsoft.SharePoint.Client.ClientServiceException' was thrown"
2. We see a request to https://tenant.sharepoint.com/_api/SP.OAuth.NativeClient/Authenticate, which is successful and returns a cookie named SPOIDCRL
3. Step 1 and 2 repeat 6 times (all with the same error)
4. Then a request gets sent to https://tenant.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%275b4f4178-c479-4093-9bd4-5910567296ad%27 (notice the resource changed to graph.microsoft.com here). This fails with the message: "AADSTS50078: Presented multi-factor authentication has expired due to policies configured by your administrator, you must refresh your multi-factor authentication to access '5b4f4178-c479-4093-9bd4-5910567296ad'. Trace ID: ab0b6bce-bbe6-40c2-aaac-5267ea193f00 Correlation ID: 9d3f26a1-80da-8000-b8a6-2b9cc1ded328 Timestamp: 2024-05-07 06:45:42Z"

We've cleared all Teams cookies and even reinstalled it, unfortunately without any luck.

How can we get some help with this? M365 support has never been helpful when they realize you issue is related to "custom development".

[RoelVB]

I seem to have solved this issue. Tested this on 3 different tenants with multiple users.

The solution posted here solved our issue: https://www.eliostruyf.com/fix-admin-consent-sp-token-retrieval-flows-spfx/ (mentioned in #9636)

Copy of the solution mentioned on the site above:

The solution

The issue was that the SharePoint Online Client Extensibility Web Application Principal Entra app was missing the Authorized client applications for the SharePoint Online Web Client Extensibility app and Office 365 SharePoint Online.

To fix this issue, you need to add the following client IDs to the Authorized client applications of the SharePoint Online Client Extensibility Web Application Principal app:

• 08e18876-6177-487e-b8b5-cf950c1e598c (SharePoint Online Web Client Extensibility)
• 00000003-0000-0ff1-ce00-000000000000 (Office 365 SharePoint Online)
• 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Microsoft Teams)
• 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Microsoft Teams Web Client)

For us only 00000003-0000-0ff1-ce00-000000000000 was present in all tenants.