SPFx aadTokenProviderFactory bearer tokens no longer work with Azure APIM validate JWT policies

[lsheltonSTO]

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [ ] 💥 Microsoft Edge
• [X] 💥 Google Chrome
• [ ] 💥 FireFox
• [ ] 💥 Safari
• [ ] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [ ] not applicable
• [ ] other (enter in the "Additional environment details" area below)

Additional environment details

• browser version - Version 123.0.6312.58 (Official Build) (64-bit)
• SPFx version - 1.18.12 (issue first reported from original 1.11 web part)
• Node.js version - v18.17.1

Issue description

Basically, we have 5-6 SPFx web parts that use(d) successfully for well over a year the aadTokenProviderFactory command in SPFx to generate bearer tokens that then were validated via JWT policy in APIM. These all stopped working Feb 22nd. What I've gotten from the APIM team is that SharePoint switched to a proprietary Entra ID auth that APIM doesn't and isn't advised to support, so I'm just being told that a. my only solution is to just leave my web parts unauthenticated and b. this change wasn't communicated at all, per the APIM team. This is the code I've been using just fine for over a year:

``const tokenProvider = await this.props.context?.aadTokenProviderFactory?.getTokenProvider(); const token = await tokenProvider?.getToken( "https://stowersinstitute.sharepoint.com" );

// Fetch only the required items from the API
const headers = {
  "Content-Type": "application/x-www-form-urlencoded",
  "Ocp-Apim-Trace": "true",
  "Access-Control-Allow-Origin": "https://stowersinstitute.sharepoint.com/",
  "Access-Control-Request-Method": "GET",
  Authorization: `bearer ${token}`,
};``

We've been using a validate JWT policy in APIM, but ever since 2/22, we've been getting 401 unauthorized errors when trying to hit using those bearer tokens. Here's a few of the errors:

Note that I'm just a junior dev stumbling my way through this, so please keep that in mind when responding. Thanks in advance.

[lsheltonSTO]

Tom Daly is a genius and figured out a way to actually get it working, despite being told by both support and APIM that it was impossible and wouldn’t work anymore. I used the same SharePoint code but used this in APIM:

    ``<validate-azure-ad-token tenant-id="{tenant-id-guid}" header-name="Authorization">
        <client-application-ids>
            <application-id>{explain-how-I-got-this-below}</application-id>
        </client-application-ids>
        <audiences>
            <audience>https://stowersinstitute.sharepoint.com</audience>
        </audiences>
    </validate-azure-ad-token>``

To get the application ID, I had to put one of the bearer tokens into jwt.io, changed the algorithm to HS256, and got the App ID from that.