Unable to retrieve Client Secret

[marcus-atvero]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• all

Describe the bug / error

Across our customer tenancies, I've seen the new Entra App Registration manifest functions appear recently, where we have "Microsoft Graph App Manifest (New)" alongside "AAD Graph App Manifest (Deprecating Soon)". This seems related to issues with registering SPFx application API access when the SPFx app is making calls to Entra ID protected APIs.

The first issue is when approving Graph API access requests, they don't "stick" to the SPFx helper principal, but just disappear, but our app seems to work fine anyway. Non Graph requests such as user_impersonation for our own app do stick.

However, calls to our APIs fail with "Unable to retrieve Client Secret" - I think it's related to MSAL v3 and the new token retrieval.

The fix was to delete the sensible looking client secret for the SPFx principal, e.g.

"ClientSecret-4d755061-e97f-471b-8afa-2a"

and go back to the SharePoint API management page and reload, when it creates the new weird broken looking secret I've seen across other tenancies:

"Ö{X!Å'�I��¹Ngãü"

and then things work as normal.

Steps to reproduce

Register an SPFx with a manifest that specifies the scope of an Entra ID application that will be used to access an Entra ID protected API

Expected behavior

• The correct client secret to be generated for the SPFx helper principal

[jumpei-yamauchi]

One of our clients are getting the same network error - "Unable to retrieve Client Secret", when hitting _api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken endpoint.

We have an custom SPFx solution deployed in their tenant which requires access to a few Graph permissions (User.Read.All, GroupMember.Read.All etc..). API access requests to these permissions have been approved.

They are getting the above error when viewing one of the SharePoint Site pages with a webpart from the custom solution. The webpart makes calls to "/groups" and "/users" graph endpoints.

[marcusroberts]

Our current work around is to delete the client secret for the spfx helper that starts clientsecret- and reload the SharePoint API management page. This creates a new secret with a scrambled name.

However the acquireOBOTokeb then fails with a generic error.

Go back to the API management page and reload. It then creates the second secret starting clientsecret-

Our calls then work.

Spfxhelper creation is still broken. Deleting it used to create all this stuff correctly, but now it's just broken