Forum Discussion
Invalid issuer o signature error in SPO Provider-Hosted AddIns
(Note: we have already verified that this is not a problem with expired client secrets)
Hi all, we are having problems with SPO Provider-Hosted Add-Ins were we are using remote event receivers...al...
VesaJuvonen
Microsoft
MicrosoftCan you open up an issue at the following location with the sufficient details, so that we can start working on this within the engineering? We use this issue list for tracking incoming issues around SharePoint development and issues are automatically synced to our VSO for internal tracking.
Thanks for your submission advance - https://github.com/SharePoint/sp-dev-docs/issues.
This GitHub issue list is an alternative or add-on tool for opening up official support ticket through official channels with Premier support or with SPO Online support, which should be always the #1 step for any unexpected issues so that things are getting tracked using official channels.
Hi Vesa!
I have already submitted the issue: https://github.com/SharePoint/sp-dev-docs/issues/1409. Of course, we tried first to open a support ticket but support team told us that they didn't provide support to any issue related to third party development :-(. That's the reason I have decided to post here the problem and also at other channels
I have already submitted the issue: https://github.com/SharePoint/sp-dev-docs/issues/1409. Of course, we tried first to open a support ticket but support team told us that they didn't provide support to any issue related to third party development :-(. That's the reason I have decided to post here the problem and also at other channels
We've run into the same issue in the last two months. Over each tenant we provide PH solutions in (8 so far), we see that renewed client secrets do not work with the invalid issuer error. We ran into a wall with support, so we figured we would wait until others started reporting this. Well, here we are :)
As a workaround we use Remove-MSOLServicePrincipal (https://docs.microsoft.com/en-us/powershell/module/msonline/remove-msolserviceprincipal) to remove the registration and recreate it using the same Client ID on AppRegNew.aspx . When using the same client ID the granted permissions carry over. This gives a service interruption of half an hour to a couple of hours, but it's better then nothing.
- Ey Jan,
Thanks! Do you mean that this workaround ended with your solutions working again after half an hour? What do you mean by service interruption?
Thanks again!!!It is important to note that we ran into this when creating new secrets for secrets that were about to expire. The normal procedure for replacing these secrets involves a secondary client secret, which allows for a switch over without interruption. Since the new client secrets where never accepted, in our experience things kept running until the switch, and then service breaks down with the invalid issuer message.
Using our procedure, recreating the app registration, the new client secret is not immediately accepted. Something needs to propagate in the back-end. We've seen this take between 0.5 and 4 hours. During this time the invalid issuer token message was shown.
In the end it all comes down to a difference in client secrets and app principals that are created through the Create-MSOLServicePrincipal cmdlet (broken), and those that are created through the AppRegNew.aspx page (works).
