search

SharePoint / sp-dev-docs

SharePoint & Viva Connections Developer Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/
Creative Commons Attribution 4.0 International
1.23k stars 992 forks source link

403 (Unauthorized) response from AcquireOBOToken request in SPFx Teams Tab App #9493

Open pheidler opened 5 months ago

pheidler commented 5 months ago

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

Additional environment details

Describe the bug / error

A user is reporting that our SPFx Teams Tab app is failing to load with the following error:

GET https://[site]/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=[client_id] 403 (Forbidden)

They reported this issue is taking place in a private channel and in a browser. Public channels do not appear to be affected. We cannot recreate in our own environments, and other users have not reported this issue.

I've noticed similar issues being tracked in this repo, but they appear to be outdated and reportedly fixed.

Has there been any recent updates to this issue? Is there anything I should check with the user?

Thank you.

Steps to reproduce

Underlying code:

const client = await this.context.msGraphClientFactory.getClient("3");
const rootWebUrlResponse = await client
          .api(`groups/${groupId}/sites/root/weburl`)
          .version("v1.0")
          .get();

Expected behavior

Graph token is acquired without issue.

ghost commented 5 months ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

pheidler commented 5 months ago

@nick-pape Any update on this?

llazaroAyesa commented 4 months ago

Same error for me, with same SPFx code inside Teams Tab;

const clientGraph:MSGraphClientV3 = await this.context.msGraphClientFactory.getClient('3');
const meBlobPhoto = await clientGraph.api(`/users/xxxxx@xxxxx.com/photo/$value`).get();

First request seems to be ok, but second ends with error.

image

Kind Regards.

vegardei commented 4 months ago

We are also experiencing the same issue. SPFx app used in Teams Tab, getting 403 Forbidden when requesting OBO token for the SharePoint Web Application Principal app. Only happens in one out of three environments.

pheidler commented 4 months ago

@llazaroAyesa @vegardei I was able to resolve the issue using this workaround: https://github.com/SharePoint/sp-dev-docs/issues/9099#issuecomment-1701406090