sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard

Published 20 hours ago verified publisher icon SharePoint

Unable to retrieve Client Secret

Open marcus-atvero opened this issue 1 year ago • 2 comments

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

  • [ ] 💥 Internet Explorer
  • [ ] 💥 Microsoft Edge
  • [ ] 💥 Google Chrome
  • [ ] 💥 FireFox
  • [ ] 💥 Safari
  • [ ] mobile (iOS/iPadOS)
  • [ ] mobile (Android)
  • [ ] not applicable
  • [ ] other (enter in the "Additional environment details" area below)

Additional environment details

  • all

Describe the bug / error

Across our customer tenancies, I've seen the new Entra App Registration manifest functions appear recently, where we have "Microsoft Graph App Manifest (New)" alongside "AAD Graph App Manifest (Deprecating Soon)". This seems related to issues with registering SPFx application API access when the SPFx app is making calls to Entra ID protected APIs.

The first issue is when approving Graph API access requests, they don't "stick" to the SPFx helper principal, but just disappear, but our app seems to work fine anyway. Non Graph requests such as user_impersonation for our own app do stick.

However, calls to our APIs fail with "Unable to retrieve Client Secret" - I think it's related to MSAL v3 and the new token retrieval.

The fix was to delete the sensible looking client secret for the SPFx principal, e.g.

"ClientSecret-4d755061-e97f-471b-8afa-2a"

and go back to the SharePoint API management page and reload, when it creates the new weird broken looking secret I've seen across other tenancies:

"Ö{X!Å'•IŒ„¹Ngãü"

and then things work as normal.

Steps to reproduce

Register an SPFx with a manifest that specifies the scope of an Entra ID application that will be used to access an Entra ID protected API

Expected behavior

  • The correct client secret to be generated for the SPFx helper principal

marcus-atvero avatar Oct 02 '24 10:10 marcus-atvero

One of our clients are getting the same network error - "Unable to retrieve Client Secret", when hitting _api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken endpoint.

We have an custom SPFx solution deployed in their tenant which requires access to a few Graph permissions (User.Read.All, GroupMember.Read.All etc..). API access requests to these permissions have been approved.

They are getting the above error when viewing one of the SharePoint Site pages with a webpart from the custom solution. The webpart makes calls to "/groups" and "/users" graph endpoints.

jumpei-yamauchi avatar Oct 04 '24 04:10 jumpei-yamauchi

Our current work around is to delete the client secret for the spfx helper that starts clientsecret- and reload the SharePoint API management page. This creates a new secret with a scrambled name.

However the acquireOBOTokeb then fails with a generic error.

Go back to the API management page and reload. It then creates the second secret starting clientsecret-

Our calls then work.

Spfxhelper creation is still broken. Deleting it used to create all this stuff correctly, but now it's just broken

marcusroberts avatar Oct 04 '24 06:10 marcusroberts

Hello @marcus-atvero, Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

Ashlesha-MSFT avatar Apr 18 '25 09:04 Ashlesha-MSFT

@marcus-atvero, Sorry the repro steps given by you are bit unclear. Could you please confirm if you follow below steps Repro Steps:

  1. Create an SPFx solution using yo @microsoft/sharepoint.
  2. Complete the setup and then manually add the required Graph API permission (e.g., User.Read.All) in the package-solution.json under webApiPermissionRequests.
  3. Package the solution using gulp bundle --ship && gulp package-solution --ship.
  4. Upload the .sppkg file to the SharePoint App Catalog.

Ashlesha-MSFT avatar Apr 18 '25 09:04 Ashlesha-MSFT

Is this issue fixed? This api _api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken is giving ""Unable to retrieve Client Secret" error. It was working till a few months back

jithendramani avatar Apr 22 '25 04:04 jithendramani

@Ashlesha-MSFT The problem was with the SPFx security principal rather than any particular uploaded SPFx bundle.

If you look in the client secrets for the app registration called SharePoint Online Client Extensibility Web Application Principal in Entra ID, looking at one in our tenancy we currently have

Image

We had to go through the steps of them creating in the correct order to have both to resolve our issue

marcus-atvero avatar Apr 24 '25 07:04 marcus-atvero

@marcus-atvero, Even when I have a valid ClientSecret-xxxx visible under the SPFx helper principal (i.e., SharePoint Online Client Extensibility Web Application Principal), I'm unable to reproduce the "Unable to retrieve Client Secret" error. The token acquisition using _api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken works fine in my environment.

This suggests that the issue may depend on specific tenant conditions or the internal state/order of how the client secret and API permission approvals are provisioned. The presence of the ClientSecret-xxxx alone doesn't consistently cause or prevent the issue, which makes it difficult to reliably reproduce.

Image

Ashlesha-MSFT avatar Jul 25 '25 11:07 Ashlesha-MSFT