MSTeams Desktop Client中的SPFx Webpart引发UnauthorizedAccessException [英] SPFx webpart in MSTeams Desktop Client throws an UnauthorizedAccessException

问题描述

此问题与之前在StackOverflow上提出的问题非常相似.但是，我得到的错误是不同的.

This question is very similar to a question which has been asked previously on StackOverflow. However, the error I'm getting is different.

AadHttpClient在以下情况下失败在MSTeams Desktop Client中使用SPFx Webpart加载SP页面

我还有一个 Sharepoint Online网站，其中有一个 SPFx Web部件，该部件利用了 AadHttpClient .

I also have a Sharepoint Online site in which I have an SPFx web part which makes use of AadHttpClient.

如果我从浏览器导航到Sharepoint网站或打开MS Teams Web客户端，则此Webpart可以工作.

This webpart works if I navigate to the Sharepoint site from a browser or open MS Teams web client.

我的设置概览:

这是我面临的问题的重现步骤"概述.

Here is a "steps to repro" overview of the issue I am facing.

• 将Web部件部署到SharePoint
• 在SharePoint中查看Web部件– Web部件显示并加载确定
• 在团队中添加SharePoint选项卡，并将其绑定到具有Web部件的页面上
• 在Teams Desktop客户端中查看选项卡–数据无法在Web部件中加载(请参阅下文)
• 在Teams Web客户端中查看选项卡– Web部件显示并加载确定

调试MS Teams桌面客户端时，在网络请求"选项卡中有此呼叫:

When I debugged the MS Teams desktop client, I have this call in in the Network requests tab:

https://{mytenant}.sharepoint.com/sites/{mysite}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={GUID of my AAD app registration}&clientId={GUID of SharePoint Online Client Extensibility AAD app registration}

响应:

错误403:

{"odata.error":{代码":-2147024891， System.UnauthorizedAccessException"，消息":{"lang":"en-US"，"value":"Access 否认.您无权执行此操作或访问 此资源.}}}

{"odata.error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}}

一个有趣的发现是，该Web请求仅在Microsoft Teams桌面客户端中发生.

One interesting observation was that this web request only happens in Microsoft Teams desktop client.

我想知道为什么仅在MS Teams桌面客户端而不是在MS Teams Web客户端或Sharepoint Online中发生这种情况.

I am interested in knowing why this only happens in MS Teams desktop client and not on either the MS Teams web client or Sharepoint Online.

更新:2020年2月10日

另一个观察结果:我们在其他租户(个人租户而不是公司租户)上尝试了相同的设置.我们注意到，在Azure Active Directory上打开MFA时，可能会重现相同的行为.

Another observation: We tried the same setup on a different tenant (personal tenant instead of our corporate tenant). We noticed that the same behaviour could be reproduced when MFA is turned-on on the Azure Active Directory.

失败的请求是:

https://{personal tenant}.sharepoint.com/sites/{site name}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={GUID of the AD app registration}&clientId={GUID of the SPO Client Extensibility app registration}

但是，现在返回的错误是带有响应的500:

However, now the error returned is a 500 with the response:

{"odata.error":{"code":-1， System.AggregateException，" message:{" lang:" zh-CN，" value:"一个或 发生了更多错误.}}}

{"odata.error":{"code":"-1, System.AggregateException","message":{"lang":"en-US","value":"One or more errors occurred."}}}

在Github上发现了类似的问题(但有不同的错误): https ://github.com/SharePoint/sp-dev-docs/issues/4915

Similar issue found, (but a different error) out on Github: https://github.com/SharePoint/sp-dev-docs/issues/4915

推荐答案

最近，对于一个调用graphAPI的Web部件，我也遇到了类似的问题.在桌面团队中，呼叫永远不会发生，并且会陷入困境.我可以按照以下步骤修复它:-

I faced similar issue recently for a webpart that was calling graphAPI. On Desktop teams the call never use to happen and it use to get stuck. I was able to fix it by following these steps: -

步骤1.访问Tenant Admin网站上新的API权限管理页面.这在幕后创建了一个客户机密.

Step 1. Visit the new API Permission Management Page on the Tenant Admin Site. This creates a client secret behind the scenes.

第2步.转到-> https://aad.portal .azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps

第3步.点击SharePoint Online Client Extensibility Web Application Principal

第4步.在左侧菜单上单击清单".第5步.从oAuth2Permission数组中复制ID.

Step 4. Click Manifest on the left menu Step 5. Copy the id from the oAuth2Permission array

"oauth2Permissions": [
        {
            "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "id": "2143704b-186b-4210-b555-d03aa61823cf",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.",
            "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "value": "user_impersonation"
        }
    ],

步骤6.将"preAuthorizedApplications"条目替换为以下json.保持appId如下所示.

Step 6. Replace "preAuthorizedApplications" entry with the following json. Keep the appId as it is written below.

"preAuthorizedApplications": [
    {
        "appId": "00000003-0000-0ff1-ce00-000000000000",
        "permissionIds": [
            "YOUR COPIED ID FROM STEP 5"
        ]
    }
],

第7步.点击保存.

让我知道这是否对您有用.我从 https://github.com/引用了上述步骤SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341

Let me know if this works for you. I referred the above steps from https://github.com/SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341

这篇关于MSTeams Desktop Client中的SPFx Webpart引发UnauthorizedAccessException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！