Description
Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Developer environment
Windows
What browser(s) / client(s) have you tested
- 💥 Internet Explorer
- 💥 Microsoft Edge
- 💥 Google Chrome
- 💥 FireFox
- 💥 Safari
- mobile (iOS/iPadOS)
- mobile (Android)
- not applicable
- other (enter in the "Additional environment details" area below)
Additional environment details
- browser version: 137.0.7151.69 (Official Build) (arm64)
- SPFx version: 1.21.1
- Node.js version: 22.16.0
Describe the bug / error
Issue Summary
We have encountered a critical issue affecting multiple tenants since May 2025. Whenever a SharePoint Framework (SPFx) package attempts to retrieve a token from a custom API for which a permission is still pending (neither approved nor rejected), the SharePoint page reloads three times automatically.
This behavior is repeated just once for a period of between 2 and 5 minutes (I don't know exactly, I guess there's a cache) and then refreshes 3 times again on the next navigation.
This behavior occurs systematically and seems to be introduced after the recent change described in the following article: Changes on SharePoint Framework (SPFx) permission grants in Microsoft Entra ID.
Technical Observation
Before each page reload, the following request is made:
GET https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
And include the following payload:
client_id=08e18876-6177-487e-b8b5-cf950c1e598c
scope={application_id_uri}%2F.default%20openid%20profile%20offline_access
[...]
This request results in an HTTP 302 redirect with the following header:
Location: https://{tenant}.sharepoint.com/_forms/spfxsinglesignon.aspx
And includes the following error details in the query string on this Location:
error=invalid_client
error_description=AADSTS650057: Invalid resource.
The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration.
Client app ID: 08e18876-6177-487e-b8b5-cf950c1e598c (SharePoint Online Web Client Extensibility)
Resource value from request: {application_id_uri}
[...]
Impact
- This issue affects several dozen of our clients.
- Tens of thousands of users are impacted by the page reload loop.
- It severely disrupts the user experience and functionality of our SPFx solutions.
Steps to reproduce
- Create a basic
HelloWorldSPFx project of typeApplicationCustomizerusing SPFx version 1.21.1. - In the
package-solution.jsonfile, add a custom API permission under thewebApiPermissionRequestssection (e.g., for a custom Entra ID app). - In the
HelloWorldApplicationCustomizer.tsfile, retrieve a token for the custom API using the following code:
export default class HelloWorldApplicationCustomizer extends BaseApplicationCustomizer<IHelloWorldApplicationCustomizerProperties> {
public async onInit(): Promise<void> {
Log.info(LOG_SOURCE, `Initialized ${strings.Title}`);
const tokenProvider = await this.context.aadTokenProviderFactory.getTokenProvider();
const token = await tokenProvider.getToken("{application_id_uri}");
}
}- Build and package the solution.
- Upload the
.sppkgfile to the App Catalog, deploy it, and ensure it is enabled by default. - Important: Do not approve or reject the API permission request in the SharePoint Admin Center.
- Navigate to a SharePoint page and observe the behavior: the page refreshes three times automatically each time
getToken()is called.
Expected behavior
The page should remain stable and handle the permission request gracefully without causing reloads, even if the permission is pending.