I had a customer with an issue when they started to introduce SharePoint Framework (SPFX) into their Teams environment. But only for the clients for Teams that were not the web client.
When the Teams client attempts to connect to the SharePoint environment, there is an error coming back from this URL:
https://xxxx.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken
The error is a HTTP 401, and the body has XML that looks like this:
{
"odata.error": {
"code": "-1, Microsoft.SharePoint.Client.ClientServiceException",
"message": {
"lang": "en-GB",
"value": "Exception of type 'Microsoft.SharePoint.Client.ClientServiceException' was thrown."
}
}
}
This is the www-authenticate header:
WWW-Authenticate: Bearer realm="rrrrrr-eeee-aaaa-llll-mmmmmmmmmmmm",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="00000001-0000-0000-c000-000000000000@*,DDDDDDDD-AAAA-BBBB-CCCC-DDDDDDDDDDD@*,https://sts.windows.net/*/,00000003-0000-0ff1-ce00-000000000000@11111111-8222-11e1-8eff-4922222019b",authorization_uri="https://login.windows.net/common/oauth2/authorize",error="insufficient_claims",claims="<CLAIM>"
It looks like the auth token isn’t being accepted and then the client is being redirected to authenticate. There should be a prompt for the Teams windows client to authorise the user.
The authentication within the web version of Teams works and the SharePoint portal is shown.
The Teams windows client receives a HTTP 400 when attempting to attach to:
GET /_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%2719732f38-8278-11ec-a8a3-0242ac120002%27&clientId=%272bb25f3e-8278-11ec-a8a3-0242ac120002%27 HTTP/1.1
This is the error:
{
"odata.error": {
"code": "10001",
"message": {
"lang": "en-GB",
"value": "AADSTS65001: The user or administrator has not consented to use the application with ID '00000003-0000-0ff1-ce00-000000000000' named 'Office 365 SharePoint Online'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 4aaf5383-cf63-3421-b263-deed41f42200\r\nCorrelation ID: 43567fa1-6324-3000-8d4b-f0819bfc4ed9\r\nTimestamp: 2021-12-22 07:57:45Z"
},
"error.redirectUrl": "https://xxx.sharepoint.com/_layouts/15/teamshostedapp.aspx?teams&personal&componentId=345a76dd-ec78-48c7-3fa5-9c45913198c5&forceLocale=en-gb&reauthid=<authID>"
}
}
Since the SPFX worked on the Teams web app (but none of the other clients), it looks like they might have a missing property in the manifest for the SPFX component in Azure AD.
You have to head to the Azure Portal, then off to “App registrations” blade and search for “SharePoint Online Client Extensibility Web Application Principal”:
Check the JSON section “preAuthorizedApplications”. There should be an appId if of:
00000003-0000-0ff1-ce00-000000000000
preAuthorizedApplications": [
{
"appId": "00000003-0000-0ff1-ce00-000000000000",
"permissionIds": [
"a991c3b6-1234-1234-1234-d21fcb52877d"
]
}
],
IF there is not… then you have to add this snippet of JSON into the “preAuthorizedApplications” section. The “permissionsIds” should be the same ID as found in the “oauth2Permissions” section, under the “id” field. It is a GUID that’s related to the oauth2 engine.
Then update the JSON and then your SPFX app should start to work in all Teams clients (not just the web version). Have fun!
Note: The GUIDs in this article have been changed to save the innocent, except the “SharePoint Online Client Extensibility Web Application Principal” which stays at 00000003-0000-0ff1-ce00-000000000000 for all tenants.
