Sp-dev-docs: SPFx Teams Tab (windows client), AcquireOBOToken 400 (guest access only)

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

We experience very similar behavior in our custom teams app but it affects regular users, not guests. Also only in Teams native electron app, in Browser it works. It's also only a very limited amount of users. For the majority, it works. We don't see a pattern for the users it doesn't work. Using Dev Tools in Teams native electron app, it looks like nothing is loaded from our solution, but using Fiddler we see this error:

{"odata.error":{"code":"10001","message":{"lang":"en-US","value":"Missing refresh token."},"error.redirectUrl":"https://[TENANTNAME].sharepoint.com/_layouts/15/teamshostedapp.aspx?teams&personal&componentId=2b2b1481-f05b-49a2-9be6-c74bce0809b4&forceLocale=en-us&reauthid=[TOKENGUID]"}}

What is very strange is, that it can temporarily be solved if the user visits the SharePoint once directly, for example in Chrome. Afterward, it works in the Teams native app too. @mdanielcristian could you test if that works for you too? We on our side can easily reproduce it creating a new user in Office 365 Admin Center, never access SharePoint and try to access our custom app directly in Teams native electron app. It won't work till the user was at least once on the SharePoint directly.

hi,

I have one general point and request clarification on this thread. (not specific to SPFx or guest user)

this way of authenticating the custom-tab i.e., obtaining the on-behalf-of token from ms-teams client using microsoftTeams.authentication.getAuthToken() would not involve any popup, meaning ms-teams client will only broker and obtain the token for the account that has signed into ms-teams.

If my custom-app wants to get token for another account, I need to go with the regular Azure-AD authentication by invoking
microsoftTeams.authentication.authenticate()

Am I correct in my understanding ?

Thanks.

I'm experiencing this error as well for a number of non-guest users in a Teams app that displays a SharePoint page containing an SPFx webpart; as soon as the graph is called, the call to AcquireOBOToken returns 'Bad Request' and the app crashes. From limited testing it appears that this might indeed correlate with users who might not have accessed SharePoint recently.

Any update? We have the same issue. Users who don't frequently use SharePoint fail to authenticate on the Teams app.

@oppie85 We are experiencing exactly the same behaviour... same API giving us a bad request. For some users it will return this error, for some it will just work fine. Any fix or workaround? 😐

We are seeing the exact issue as well. We have an SPFx webpart hosted as a Teams Tab and Guest users are not able to call the Graph API or a custom AAD secured Web API from the teams desktop client (works from web browsers)

sprequestguid of one such call is b3c2919f-f053-2000-96e1-72883a3f2b37

@lucabandMSFT @patmill @VesaJuvonen

that's for now unfortunately expected. If the user didn't log in to SharePoint first, we miss the user token to be able to fulfill the user identity when serving the page from the Teams rich client.
The annoying workaround for now is to have the user visiting a SharePoint page (any of them) first.

We know this is a non sustainable experience and we are working to build a better experience that would not require such workaround to be in place.

that's for now unfortunately expected. If the user didn't log in to SharePoint first, we miss the user token to be able to fulfill the user identity when serving the page from the Teams rich client.
The annoying workaround for now is to have the user visiting a SharePoint page (any of them) first.

We know this is a non sustainable experience and we are working to build a better experience that would not require such workaround to be in place.

@lucabandMSFT thanks for your answer. But shouldn't it be possible to redirect to the sign in page in case of a bad request on the AcquireOBOToken endpoint? Once logged in the SSO will work fine from that point?

It's pretty frustrating a lot of customers are comming up with this issue now and they have to tell all their employees to browse to SharePoint first and log in there, to be able to get around this issue.

Hi @lucabandMSFT

Thanks for the reply! Regarding the workaround, it still doesn't work for us unfortunately.

By visiting a SharePoint page as the guest user, do you mean
1) Visit an SP page in any browser?
2) Visit an SP page in the Teams Rich client (e.g. an SP page added as a Teams tab)
3) Something else I might be missing?

@WardWilmsen , unfortunately no because in scenarios where you have multiple profiles in Teams redirecting will always use your machine identity (assuming you have a domain joined machine) and in mobile will always prompt to credential requests.

@vman , yes vist any SharePoint page from the browser.

We know that is frustrating, that's why we are working to address it as soon as possible.

Our customer reported that the issue has come back a few days after visiting a random page in SharePoint Online.

@WardWilmsen , how may days? Tokens have an expiration point so if the customer didn't log in back to refresh the token (or something in the middle changed .. like user password), than the behavior is unfortunately expected.

But, again, I want to re-enforce the message here: we know this is an issue and not the correct behavior and we are working on addressing that. Hopefully I can provide some updates here at the early beginning of 2021.

@lucabandMSFT they reported this issue yesterday morning. They got this after one night of their computer being in sleep mode. I saw them visiting the SharePoint root url with that user, Monday in the afternoon. So not even 24 hours after visiting SharePoint.

And yes tokens do expire, but they are refreshed in Teams once they expire right? I have my laptop turned on day and night for the last few days. And I'm not facing these issues, the SSO on SharePoint keeps working fine for the personal Teams tab.

So I'm not sure what the issue is right here, if it was a one time identity which it needed. Then it should be fixed 'forever' by visiting SharePoint just once?

@vman were you able to fix this issue already? If so, could you explain how you did this exactly?

@WardWilmsen @lucabandMSFT for me the workaround hasn't worked at all. Maybe I am missing something but visiting SP pages as the guest user (both in browser and Teams) doesn't change the behaviour for me :(

@vman @lucabandMSFT I'm facing this issue with internal and licensed users in the customer tenant... just as @oppie85 mentioned. Wasn't able to test this one with guest users yet. But can imagine it will only make it worse.

For internal users it does work for a few hours after visiting a random SharePoint page.

@lucabandMSFT @primalairlabs
Does anyone have any update on this issue? Still facing this issue with 1 of our customers.