SPFx Teams Tab (windows client), AcquireOBOToken 400 (guest access only)

[mdanielcristian]

Category

• Bug

Describe the bug

I have a SPFx teams tab. The SPFx tab is using AadTokenProvider in order to get a token to access a resource. Trying to access that tab:

• browser client, normal user, WORKS, correct token returned, I am able to access the resource using that token
• native client (windows), normal user: WORKS
• browser client, guest user, WORKS
• native client (windiws), guest user DOES NOT WORK

So when I try to get a token in the native client, while logged in with a guest user, the call fails. Using fiddler, I can see the following call:
GET: /sites/{teamSite}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource='{protectedResource'&clientId='{correct id of SharePoint Online Client Extensibility Web Application Principal'

Response: 400 - Missing refresh token

Steps to reproduce

1. Login as a guest to a team
2. Access a SPFx tab in that team
3. The tab is using AadTokenProvider.getToken('{resourceUid}') in order to get a token for the current user
4. The call fails, and the above error is visible in Fiddler

Expected behavior

AadTokenProvider.getToken('{resourceUid}') returns a valid token.

Environment details (development & target environment)

• Your Developer Environment: Windows 10
• Target Environment: Teams
• Framework: SPFx v1.10.0
• Browser(s): Native Client onlu
• Tooling: VS Code, SPFx v1.10.0

Additional context

Same exact scenario work in the browser client (guest user) and all scenarios for a normal user.

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[primalairlabs]

We experience very similar behavior in our custom teams app but it affects regular users, not guests. Also only in Teams native electron app, in Browser it works. It's also only a very limited amount of users. For the majority, it works. We don't see a pattern for the users it doesn't work. Using Dev Tools in Teams native electron app, it looks like nothing is loaded from our solution, but using Fiddler we see this error:

{"odata.error":{"code":"10001","message":{"lang":"en-US","value":"Missing refresh token."},"error.redirectUrl":"https://[TENANTNAME].sharepoint.com/_layouts/15/teamshostedapp.aspx?teams&personal&componentId=2b2b1481-f05b-49a2-9be6-c74bce0809b4&forceLocale=en-us&reauthid=[TOKENGUID]"}}

What is very strange is, that it can temporarily be solved if the user visits the SharePoint once directly, for example in Chrome. Afterward, it works in the Teams native app too. @mdanielcristian could you test if that works for you too? We on our side can easily reproduce it creating a new user in Office 365 Admin Center, never access SharePoint and try to access our custom app directly in Teams native electron app. It won't work till the user was at least once on the SharePoint directly.

[testuser7713]

hi,

I have one general point and request clarification on this thread. (not specific to SPFx or guest user)

this way of authenticating the custom-tab i.e., obtaining the on-behalf-of token from ms-teams client using microsoftTeams.authentication.getAuthToken() would not involve any popup, meaning ms-teams client will only broker and obtain the token for the account that has signed into ms-teams.

If my custom-app wants to get token for another account, I need to go with the regular Azure-AD authentication by invoking
microsoftTeams.authentication.authenticate()

Am I correct in my understanding ?

Thanks.

[oppie85]

I'm experiencing this error as well for a number of non-guest users in a Teams app that displays a SharePoint page containing an SPFx webpart; as soon as the graph is called, the call to AcquireOBOToken returns 'Bad Request' and the app crashes. From limited testing it appears that this might indeed correlate with users who might not have accessed SharePoint recently.

[Jwaegebaert]

Any update? We have the same issue. Users who don't frequently use SharePoint fail to authenticate on the Teams app.

[WardWilmsen]

@oppie85 We are experiencing exactly the same behaviour... same API giving us a bad request. For some users it will return this error, for some it will just work fine. Any fix or workaround? 😐

[vman]

We are seeing the exact issue as well. We have an SPFx webpart hosted as a Teams Tab and Guest users are not able to call the Graph API or a custom AAD secured Web API from the teams desktop client (works from web browsers)

sprequestguid of one such call is b3c2919f-f053-2000-96e1-72883a3f2b37

@lucabandMSFT @patmill @VesaJuvonen

[lucabandMSFT]

that's for now unfortunately expected. If the user didn't log in to SharePoint first, we miss the user token to be able to fulfill the user identity when serving the page from the Teams rich client.
The annoying workaround for now is to have the user visiting a SharePoint page (any of them) first.

We know this is a non sustainable experience and we are working to build a better experience that would not require such workaround to be in place.