MSTeams 桌面客户端中的 SPFx webpart 抛出 UnauthorizedAccessException [英] SPFx webpart in MSTeams Desktop Client throws an UnauthorizedAccessException

问题描述

这个问题与之前在 StackOverflow 上提出的问题非常相似.但是，我得到的错误是不同的.

这是我面临的问题的重现步骤"概述.

• 将 Web 部件部署到 SharePoint
• 在 SharePoint 中查看 Web 部件 - Web 部件显示和加载正常
• 在 Teams 中添加 SharePoint 选项卡并将其绑定到包含 Web 部件的页面
• 在 Teams Desktop 客户端中查看选项卡 - 无法在 Web 部件中加载数据(请参阅下文)
• 在 Teams Web 客户端中查看选项卡 - Web 部件显示和加载正常

当我调试 MS Teams 桌面客户端时，我在网络请求"选项卡中有此调用:

https://{mytenant}.sharepoint.com/sites/{mysite}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={我的 AAD 应用注册的 GUID}&clientId={SharePoint Online 客户端扩展性 AAD 应用注册的 GUID}

回复:

错误 403:

<块引用>

{"odata.error":{"code":"-2147024891,System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access否认.您无权执行此操作或访问此资源."}}}

一个有趣的观察结果是此 Web 请求仅发生在 Microsoft Teams 桌面客户端中.

我很想知道为什么这只发生在 MS Teams 桌面客户端而不是 MS Teams Web 客户端或 Sharepoint Online.

更新:10/02/2020

另一个观察结果:我们在不同的租户(个人租户而不是我们的公司租户)上尝试了相同的设置.我们注意到，当在 Azure Active Directory 上启用 MFA 时，可以重现相同的行为.

失败的请求是:

https://{个人租户}.sharepoint.com/sites/{站点名称}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={AD 应用注册的GUID}&clientId={SPO 客户端扩展性应用程序注册的 GUID}

但是，现在返回的错误是带有响应的 500:

<块引用>

{"odata.error":{"code":"-1,System.AggregateException","message":{"lang":"en-US","value":"一个或发生了更多错误."}}}

在 Github 上发现了类似的问题(但出现了不同的错误):https://github.com/SharePoint/sp-dev-docs/issues/4915

解决方案

我最近在调用 graphAPI 的 webpart 时遇到了类似的问题.在桌面团队中，呼叫永远不会发生，并且经常卡住.我可以按照以下步骤修复它:-

第 1 步:访问租户管理站点上的新 API 权限管理页面.这会在幕后创建一个客户端机密.

第 2 步.转到 -> https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps

步骤 3. 点击SharePoint Online Client Extensibility Web Application Principal

步骤 4. 单击左侧菜单中的 Manifest 步骤 5. 从 oAuth2Permission 数组中复制 id

"oauth2Permissions": [{"adminConsentDescription": "允许应用程序代表登录用户访问 SharePoint Online 客户端可扩展性 Web 应用程序主体.","adminConsentDisplayName": "访问 SharePoint Online 客户端可扩展性 Web 应用程序主体","id": "2143704b-186b-4210-b555-d03aa61823cf",已启用":真，朗":空，"origin": "应用程序","type": "用户","userConsentDescription": "允许应用程序代表您访问 SharePoint Online 客户端可扩展性 Web 应用程序主体.","userConsentDisplayName": "访问 SharePoint Online 客户端可扩展性 Web 应用程序主体",值":user_impersonation"}],

步骤 6. 将preAuthorizedApplications"条目替换为以下 json.保留下面写的 appId.

"preAuthorizedApplications": [{"appId": "00000003-0000-0ff1-ce00-000000000000",权限 ID":[您在第 5 步中复制的 ID"]}],

第 7 步.点击保存.

让我知道这是否适合您.我从 https://github.com/引用了上述步骤SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341

This question is very similar to a question which has been asked previously on StackOverflow. However, the error I'm getting is different.

AadHttpClient fails when loading SP page with SPFx webpart in MSTeams Desktop Client

I also have a Sharepoint Online site in which I have an SPFx web part which makes use of AadHttpClient.

This webpart works if I navigate to the Sharepoint site from a browser or open MS Teams web client.

A glimpse of my setup:

Here is a "steps to repro" overview of the issue I am facing.

• Deploy the web part to SharePoint
• View the web part in SharePoint – web part displays and loads OK
• Add a SharePoint Tab in Teams and bind it to the page with the web part
• View the tab in Teams Desktop client – data fails to load in web part (refer below)
• View the tab in Teams Web client – web part displays and loads OK

When I debugged the MS Teams desktop client, I have this call in in the Network requests tab:

https://{mytenant}.sharepoint.com/sites/{mysite}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={GUID of my AAD app registration}&clientId={GUID of SharePoint Online Client Extensibility AAD app registration}

With the response:

Error 403:

{"odata.error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}}

One interesting observation was that this web request only happens in Microsoft Teams desktop client.

I am interested in knowing why this only happens in MS Teams desktop client and not on either the MS Teams web client or Sharepoint Online.

Update: 10/02/2020

Another observation: We tried the same setup on a different tenant (personal tenant instead of our corporate tenant). We noticed that the same behaviour could be reproduced when MFA is turned-on on the Azure Active Directory.

The request that's failing is:

https://{personal tenant}.sharepoint.com/sites/{site name}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={GUID of the AD app registration}&clientId={GUID of the SPO Client Extensibility app registration}

However, now the error returned is a 500 with the response:

{"odata.error":{"code":"-1, System.AggregateException","message":{"lang":"en-US","value":"One or more errors occurred."}}}

Similar issue found, (but a different error) out on Github: https://github.com/SharePoint/sp-dev-docs/issues/4915

解决方案

I faced similar issue recently for a webpart that was calling graphAPI. On Desktop teams the call never use to happen and it use to get stuck. I was able to fix it by following these steps: -

Step 1. Visit the new API Permission Management Page on the Tenant Admin Site. This creates a client secret behind the scenes.

Step 2. Go to -> https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps

Step 3. Click on SharePoint Online Client Extensibility Web Application Principal

Step 4. Click Manifest on the left menu Step 5. Copy the id from the oAuth2Permission array

"oauth2Permissions": [
        {
            "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "id": "2143704b-186b-4210-b555-d03aa61823cf",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.",
            "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "value": "user_impersonation"
        }
    ],

Step 6. Replace "preAuthorizedApplications" entry with the following json. Keep the appId as it is written below.

"preAuthorizedApplications": [
    {
        "appId": "00000003-0000-0ff1-ce00-000000000000",
        "permissionIds": [
            "YOUR COPIED ID FROM STEP 5"
        ]
    }
],

Step 7. Hit Save.

Let me know if this works for you. I referred the above steps from https://github.com/SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341

这篇关于MSTeams 桌面客户端中的 SPFx webpart 抛出 UnauthorizedAccessException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！