search

SharePoint / sp-dev-docs

SharePoint & Viva Connections Developer Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/
Creative Commons Attribution 4.0 International
1.25k stars 1.02k forks source link

Page reloads due to blocking of third party cookies #9636

Closed estruyf closed 7 months ago

estruyf commented 7 months ago

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

macOS

What browser(s) / client(s) have you tested

Additional environment details

Safari: Version 16.4 Firefox: Version 124.0.2

Describe the bug / error

As Safari and Firefox block third-party cookies by default, the MSAL flow redirects and reloads the page when there is missing consent. This issue is related to #5966.

The fix rolled out last week has been fixed for Chrome and Edge. I cannot reproduce the issue anymore, but the problem still occurs on Safari and Firefox.

Here, you can see the behavior in Firefox:

https://github.com/SharePoint/sp-dev-docs/assets/2900833/915cbb1d-11be-421d-afc4-5fc2e400afb0

Here, you can see the behavior in Safari:

https://github.com/SharePoint/sp-dev-docs/assets/2900833/325d8cc2-3e4f-4e02-a5ba-f803abf6b2db

The solution on the customer end is to consent to the missing permission, but it is not clear that this is the root cause, as we cannot catch this in the webpart like we can do when third-party cookies are enabled.

Steps to reproduce

  1. Create a web part which requires an access token
  2. Publish the web part, but do not consent to the permission scope
  3. Test out the web part on the page in Firefox or Safari

Expected behavior

The suggestion I gave in issue #5966 was the following:

I suggest implementing a way to capture this error. For instance, when the /_forms/spfxsinglesignon.aspx gets a missing consent, something is written to the cache. When the code requests the token again, the MSAL library should validate if it has already performed the redirect, and if that is the case, return an error. That way, it would be similar to the implicit grant flow where you would retrieve an error, and we could tell the user some configuration is missing.

lucabandMSFT commented 7 months ago

hey @estruyf , would be possible for you to generate an HAR file and send it to us please?

lucabandMSFT commented 7 months ago

spoke to @estruyf , the issue is not related to MSAL V3 and indeed it reproes to all browsers. The issue occurs when the code makes a call to an API that we not admin consented. The fix is to admin consent the API. Nevertheless, the experience is terrible. We are going to investigate internally and come up with something better.

justin376802 commented 7 months ago

hey @estruyf , would be possible for you to generate an HAR file and send it to us please?

We're facing the same issue, here is an anonymized HAR file:

anonymized_tenant.sharepoint.com-browserlog.log

estruyf commented 7 months ago

@justin376802 from the logs you shared, I see that your browser has third-party cookies disabled. Checked to learn more about what is going on: https://www.eliostruyf.com/browser-refreshing-sharepoint-page/

justdevelopment commented 7 months ago

We see the same issue still at customer tenants. Re-granting admin consent on our API and enabling 3rd party cookies is not a solution for them unfortunately... I do see an error on missing auth for the 'SharePoint Online Web Client Extensibility' app registration (not the Prinicpal!), could that be the cause? We cannot grant consent to this App Reg: the button is disabled.

justin376802 commented 7 months ago

@estruyf I've got my (MS Edge) browser settings set as open as possible however the issue persists. I've added some screenshots and additional logs. Am I maybe missing something?

image

I've also added the sharepoint site to the allow list on the bottom of the image below: image

new_anonymized_tenant.sharepoint.com-browserlog.log

estruyf commented 7 months ago

We see the same issue still at customer tenants. Re-granting admin consent on our API and enabling 3rd party cookies is not a solution for them unfortunately... I do see an error on missing auth for the 'SharePoint Online Web Client Extensibility' app registration (not the Prinicpal!), could that be the cause? We cannot grant consent to this App Reg: the button is disabled.

@ justdevelopment I've experienced this as well last week, check this: https://www.eliostruyf.com/fix-admin-consent-sp-token-retrieval-flows-spfx/

estruyf commented 7 months ago

@justin376802 I see you getting issues on the /_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken API as well, can you check the described solution from my blog post: https://www.eliostruyf.com/fix-admin-consent-sp-token-retrieval-flows-spfx/

justin376802 commented 7 months ago

@estruyf That seems to be the solution! It appears i'm not getting the random refreshes anymore. I was indeed missing the Authorized client applications mentioned in your blog, thank you! 👍

lucabandMSFT commented 7 months ago

@estruyf , thanks for sharing this.

Visiting the API Access page with an user that has both SPO Tenant Admin and AAD Global admin roles will also fix the issue.

justdevelopment commented 7 months ago

Awesome Elio, that also fixed our issue! Three were missing and by adding them the issue is now gone. It probably also fixed another issue our customer was having within Teams (but we need to verify this)