"microsoftTeams.authentication.getAuthToken" Failed

Question

"microsoftTeams.authentication.getAuthToken" Failed

Jitao Gu 0

I developed a web page hosted in teams app, need to authentication in web.

microsoftTeams.app.initialize().then(() => {
    microsoftTeams.authentication.getAuthToken().then((result) => {
        resolve(result);
    }).catch((error) => {
        reject("Error getting token: " + error);
    });
});

In manifest.json, I configure

"webApplicationInfo": {
        "id": "${{AAD_APP_CLIENT_ID}}",
        "resource": "api://${{TAB_DOMAIN}}/${{AAD_APP_CLIENT_ID}}"
    }

I open the web in teams app:

The result I get is

{"Description":"Recieved an error from AAD. Code: 'invalid_resource' description: '(pii)' correlation id: 'b23ed14c-137a-400e-98c0-d9969662ab1a'","Domain":"com.microsoft.oneauth","ErrorCode":"2002","Message":"Access denied for the resource.","SystemErrorCode":"0","Tag":"965yc","Type":"OneAuth","aad_request_sequence":"1.P","additional_query_parameters_count":"2","all_error_tags":"965yc|965yc|965yc","api_error_code":"0","api_error_context":"Recieved an error from AAD. Code: 'invalid_resource' description: '(pii)' correlation id: 'b23ed14c-137a-400e-98c0-d9969662ab1a'","api_error_tag":"965yc","api_name":"AcquireTokenSilently","api_status_code":"StatusInternal::IncorrectConfiguration","auth_flow":"FRT","auth_flow_last_error":"invalid_resource","authority_type":"AAD","authorization_type":"CachedRefreshToken","broker_app_used":"false","client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","correlation_id":"b23ed14c-137a-400e-98c0-d9969662ab1a","http_call_count":"1","is_successful":"false","last_http_response_code":"400","msal_version":"1.1.0+61e1eea1","original_authority":"https://login.microsoftonline.com/270a8c96-4480-4b5c-954f-c264cee2d33c","prt_enabled":"false","read_token":"ID|ART-8f09e19b2bd57f78|FRT-8f09e19b2bd57f78","request_duration":"558","request_eligible_for_broker":"false-SsoUnavbl","request_id":"a11b7dc0-8afe-40e4-ae1b-6869e0089b01","request_new_prt":"false","server_error_code":"500011","start_time":"2025-02-10T10:24:41.000Z","stop_time":"2025-02-10T10:24:41.000Z","storage_read":"DAC|DID|DAMD|DRT|DRT","was_request_throttled":"false”}

Jitao Gu 0 Reputation points

2025-02-11T02:37:42.7433333+00:00

The error log should be "

{"Description":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","Domain":"com.microsoft.oneauth","ErrorCode":"2400","Message":"The operation attempted is invalid.","SystemErrorCode":"0","Tag":"49dvr","Type":"OneAuth","additional_query_parameters_count":"2","all_error_tags":"49dvr","api_error_code":"0","api_error_context":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","api_error_tag":"49dvr","api_name":"AcquireTokenInteractively","api_status_code":"StatusInternal::ApiContractViolation","authority_type":"AAD","authorization_type":"Interactive","broker_app_used":"false","browser_navigation_count":"2","client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","correlation_id":"6b8ef2b5-c123-4acb-a0e9-803941f2d7ec","is_successful":"false","msal_version":"1.1.0+61e1eea1","original_authority":"https://login.microsoftonline.com/270a8c96-4480-4b5c-954f-c264cee2d33c","prt_enabled":"false","read_token":"ART-f1a1cfb3d5bc6fa7|FRT-f1a1cfb3d5bc6fa7","request_duration":"763","request_eligible_for_broker":"false-SsoInteractiveVer","request_new_prt":"false","start_time":"2025-02-11T01:02:43.000Z","stop_time":"2025-02-11T01:02:43.000Z","storage_read":"DAMD|DID|DRT|DRT","ui_event_count":"1","was_request_throttled":"false"}

Nivedipa-MSFT 3,646 Microsoft External Staff Moderator

@Jitao Gu - Thank you for bringing this issue to our attention.
It looks like you're encountering an invalid_resource error when trying to authenticate your web page hosted in a Teams app. This error typically indicates that the resource URL specified in your manifest.json does not match the expected resource URL configured in Azure AD.

Here are some steps to troubleshoot and resolve this issue:

Verify Resource URL: Ensure that the resource URL in your manifest.json matches the one configured in Azure AD. The resource URL should be in the format api://<TAB_DOMAIN>/<AAD_APP_CLIENT_ID>.

Check Azure AD App Registration:

Go to the Azure portal and navigate to your app registration.

  Verify that the `Application ID URI` matches the resource URL specified in your `manifest.json`.
  
     Ensure that the `Redirect URI` is correctly configured to handle the authentication flow.
     
     **Update Manifest File**: Make sure your `manifest.json` file is correctly configured. It should look something like this:
     
     ```json
     "webApplicationInfo": {
"id": "your-aad-app-client-id",
"resource": "api://your-tab-domain/your-aad-app-client-id"

} ```

     **Permissions and Consent**:
     
        Ensure that the necessary API permissions are granted in Azure AD.
        
           Admin consent might be required for certain permissions. Make sure the permissions are consented to by an admin.
           
           **Debugging**:
           
              Use browser developer tools to inspect network requests and responses.
              
                 Check for any additional error messages or details that might help identify the issue.

Jitao Gu 0 Reputation points

2025-02-12T04:56:09.6433333+00:00
At https://entra.microsoft.com/: I register the App:

Application (client) ID: 4776c18b-280e-47a3-9f38-1a19f237d5b9

APP ID URL : api://group-change-web-bucket.s3.ap-southeast-2.amazonaws.com/4776c18b-280e-47a3-9f38-1a19f237d5b9

In my manifest.json

"staticTabs": [ { "entityId": "index0", "name": "Second${{APP_NAME_SUFFIX}}", "contentUrl": "${{TAB_ENDPOINT}}", "websiteUrl": "${{TAB_ENDPOINT}}", "scopes": [ "personal", "groupChat", "team" ] } ], "permissions": [ "identity", "messageTeamMembers" ], "validDomains": [ "group-change-web-bucket.s3.ap-southeast-2.amazonaws.com" ], "webApplicationInfo": { "id": "4776c18b-280e-47a3-9f38-1a19f237d5b9", "resource": "api://group-change-web-bucket.s3.ap-southeast-2.amazonaws.com/4776c18b-280e-47a3-9f38-1a19f237d5b9" }

I get the error:

{"Description":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","Domain":"com.microsoft.oneauth","ErrorCode":"2400","Message":"The operation attempted is invalid.","SystemErrorCode":"0","Tag":"49dvr","Type":"OneAuth","additional_query_parameters_count":"2","all_error_tags":"49dvr","api_error_code":"0","api_error_context":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","api_error_tag":"49dvr","api_name":"AcquireTokenInteractively","api_status_code":"StatusInternal::ApiContractViolation","authority_type":"AAD","authorization_type":"Interactive","broker_app_used":"false","browser_navigation_count":"2","client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","correlation_id":"a268cd06-e8fd-460c-8d41-bfae78bb1fa3","is_successful":"false","msal_version":"1.1.0+61e1eea1","original_authority":"https://login.microsoftonline.com/270a8c96-4480-4b5c-954f-c264cee2d33c","prt_enabled":"false","read_token":"ART-b0760b0c766a7f91|FRT-b0760b0c766a7f91","request_duration":"870","request_eligible_for_broker":"false-SsoInteractiveVer","request_new_prt":"false","start_time":"2025-02-10T23:58:16.000Z","stop_time":"2025-02-10T23:58:17.000Z","storage_read":"DAMD|DID|DRT|DRT","ui_event_count":"1","was_request_throttled":"false"}

It seems that I need a client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264" , which is not my Application (client) ID.
Jitao Gu 0 Reputation points

2025-02-12T05:01:15.92+00:00

I config the api url correctly in manifest.json. And then get the error:

{"Description":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","Domain":"com.microsoft.oneauth","ErrorCode":"2400","Message":"The operation attempted is invalid.","SystemErrorCode":"0","Tag":"49dvr","Type":"OneAuth","additional_query_parameters_count":"2","all_error_tags":"49dvr","api_error_code":"0","api_error_context":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","api_error_tag":"49dvr","api_name":"AcquireTokenInteractively","api_status_code":"StatusInternal::ApiContractViolation","authority_type":"AAD","authorization_type":"Interactive","broker_app_used":"false","browser_navigation_count":"2","client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","correlation_id":"6b8ef2b5-c123-4acb-a0e9-803941f2d7ec","is_successful":"false","msal_version":"1.1.0+61e1eea1","original_authority":"https://login.microsoftonline.com/270a8c96-4480-4b5c-954f-c264cee2d33c","prt_enabled":"false","read_token":"ART-f1a1cfb3d5bc6fa7|FRT-f1a1cfb3d5bc6fa7","request_duration":"763","request_eligible_for_broker":"false-SsoInteractiveVer","request_new_prt":"false","start_time":"2025-02-11T01:02:43.000Z","stop_time":"2025-02-11T01:02:43.000Z","storage_read":"DAMD|DID|DRT|DRT","ui_event_count":"1","was_request_throttled":"false"}

There is data "client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264" .

Could you tell what is this client_id? It is not the " application client id " I register in entra.microsoft.com.

Thanks

2 answers

Your answer

Jitao Gu 0 Reputation points

2025-02-11T02:37:42.7433333+00:00

The error log should be "

{"Description":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","Domain":"com.microsoft.oneauth","ErrorCode":"2400","Message":"The operation attempted is invalid.","SystemErrorCode":"0","Tag":"49dvr","Type":"OneAuth","additional_query_parameters_count":"2","all_error_tags":"49dvr","api_error_code":"0","api_error_context":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","api_error_tag":"49dvr","api_name":"AcquireTokenInteractively","api_status_code":"StatusInternal::ApiContractViolation","authority_type":"AAD","authorization_type":"Interactive","broker_app_used":"false","browser_navigation_count":"2","client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","correlation_id":"6b8ef2b5-c123-4acb-a0e9-803941f2d7ec","is_successful":"false","msal_version":"1.1.0+61e1eea1","original_authority":"https://login.microsoftonline.com/270a8c96-4480-4b5c-954f-c264cee2d33c","prt_enabled":"false","read_token":"ART-f1a1cfb3d5bc6fa7|FRT-f1a1cfb3d5bc6fa7","request_duration":"763","request_eligible_for_broker":"false-SsoInteractiveVer","request_new_prt":"false","start_time":"2025-02-11T01:02:43.000Z","stop_time":"2025-02-11T01:02:43.000Z","storage_read":"DAMD|DID|DRT|DRT","ui_event_count":"1","was_request_throttled":"false"}
Nivedipa-MSFT 3,646 Reputation points Microsoft External Staff Moderator

2025-02-11T05:41:45.3433333+00:00

@Jitao Gu - Thank you for bringing this issue to our attention.
It looks like you're encountering an invalid_resource error when trying to authenticate your web page hosted in a Teams app. This error typically indicates that the resource URL specified in your manifest.json does not match the expected resource URL configured in Azure AD.

Here are some steps to troubleshoot and resolve this issue:

Verify Resource URL: Ensure that the resource URL in your manifest.json matches the one configured in Azure AD. The resource URL should be in the format api://<TAB_DOMAIN>/<AAD_APP_CLIENT_ID>.

Check Azure AD App Registration:

Go to the Azure portal and navigate to your app registration.

Verify that the `Application ID URI` matches the resource URL specified in your `manifest.json`. Ensure that the `Redirect URI` is correctly configured to handle the authentication flow. **Update Manifest File**: Make sure your `manifest.json` file is correctly configured. It should look something like this: ```json "webApplicationInfo": { "id": "your-aad-app-client-id", "resource": "api://your-tab-domain/your-aad-app-client-id"

} ```

**Permissions and Consent**: Ensure that the necessary API permissions are granted in Azure AD. Admin consent might be required for certain permissions. Make sure the permissions are consented to by an admin. **Debugging**: Use browser developer tools to inspect network requests and responses. Check for any additional error messages or details that might help identify the issue.
Jitao Gu 0 Reputation points

2025-02-12T05:01:15.92+00:00

I config the api url correctly in manifest.json. And then get the error:

{"Description":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","Domain":"com.microsoft.oneauth","ErrorCode":"2400","Message":"The operation attempted is invalid.","SystemErrorCode":"0","Tag":"49dvr","Type":"OneAuth","additional_query_parameters_count":"2","all_error_tags":"49dvr","api_error_code":"0","api_error_context":"Embedded browser flow resulted in 'invalid_client' with description '(pii)'","api_error_tag":"49dvr","api_name":"AcquireTokenInteractively","api_status_code":"StatusInternal::ApiContractViolation","authority_type":"AAD","authorization_type":"Interactive","broker_app_used":"false","browser_navigation_count":"2","client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","correlation_id":"6b8ef2b5-c123-4acb-a0e9-803941f2d7ec","is_successful":"false","msal_version":"1.1.0+61e1eea1","original_authority":"https://login.microsoftonline.com/270a8c96-4480-4b5c-954f-c264cee2d33c","prt_enabled":"false","read_token":"ART-f1a1cfb3d5bc6fa7|FRT-f1a1cfb3d5bc6fa7","request_duration":"763","request_eligible_for_broker":"false-SsoInteractiveVer","request_new_prt":"false","start_time":"2025-02-11T01:02:43.000Z","stop_time":"2025-02-11T01:02:43.000Z","storage_read":"DAMD|DID|DRT|DRT","ui_event_count":"1","was_request_throttled":"false"}

There is data "client_id":"1fec8e78-bce4-4aaf-ab1b-5451cc387264" .

Could you tell what is this client_id? It is not the " application client id " I register in entra.microsoft.com.

Thanks

Answer 1

@Jitao Gu - The client_id you see in the error message (1fec8e78-bce4-4aaf-ab1b-5451cc387264) is indeed different from the application client ID you registered in Entra (Azure AD). This client_id is associated with the Microsoft OAuth library, which is used for authentication flows in Microsoft applications

Here are a few steps to troubleshoot and resolve the invalid_client error:

Verify Client ID and Secret: Ensure that the client ID and client secret in your application match those registered in Azure AD. Double-check for any typos or mismatches
Redirect URI: Make sure the redirect URI in your manifest file matches exactly with the one registered in Azure AD. Any discrepancies can cause authentication issues.
Permissions and Scopes: Verify that the necessary API permissions and scopes are granted to your application in Azure AD. Ensure that the permissions are correctly configured and consented to.

Manifest Configuration: Double-check the configuration in your manifest.json file to ensure all URLs and settings are correct.

Network and Firewall: Ensure that there are no network or firewall restrictions blocking the authentication endpoints.

Please refer to the Microsoft identity platform documentation for more detailed guidance on configuring and troubleshooting OAuth 2.0 authorization code flow: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow

Thanks,

Nivedipa

-----------------------------------------------------------------------------------------------------------

If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.

Answer 2

Max Gargani 0

client_id 1fec8e78-bce4-4aaf-ab1b-5451cc387264 is not your application ID it is the ID of Team Mobile/Desktop app and ID 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 is the Teams Web App.

You have to allow Teams ID to access your app. Add the Teams ID (Mobile/Desktop and-or web) to Authorized Client Application (wher you added your application ID).

User's image

Share via

"microsoftTeams.authentication.getAuthToken" Failed

2 answers

Your answer