SharePoint File Picker White Box Issue

[ITProfeska]

My state of the art Librechat deployment failing on SharePoint File Picker White Box Issue

Environment

• LibreChat Version: Latest main branch (commit: 4a2de41)
• Deployment: PM2 on Ubuntu VM
• Authentication: Multi-tenant Azure AD OpenID Connect
• Issue: SharePoint file picker shows blank/white box, Graph API token acquisition fails

Configuration

Working Components

✅ OpenID authentication working (multi-tenant)
✅ Token reuse enabled: `OPENID_REUSE_TOKENS=true`
✅ Users can login successfully from multiple tenants
✅ File picker button appears in UI

Non-Working Component

❌ SharePoint file picker displays blank white box
❌ Graph API token exchange failing

Environment Variables (.env)

```bash

OpenID Configuration

OPENID_ENABLED=true
OPENID_CLIENT_ID=
OPENID_ISSUER=https://login.microsoftonline.com/organizations/v2.0
OPENID_SCOPE=api://.default openid profile email offline_access
OPENID_REUSE_TOKENS=true
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true
OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE=user.read
OPENID_USE_PKCE=true
OPENID_AUTO_REDIRECT=false
OPENID_REDIRECT_URI=https:///oauth/openid/callback

Microsoft Graph Configuration

MICROSOFT_GRAPH_CLIENT_ID=1___
MICROSOFT_GRAPH_CLIENT_SECRET=[REDACTED]
MICROSOFT_GRAPH_TENANT_ID=f___

SharePoint Configuration

ENABLE_SHAREPOINT_FILEPICKER=true
SHAREPOINT_BASE_URL=https://.sharepoint.com
SHAREPOINT_PICKER_CLIENT_ID=
SHAREPOINT_PICKER_CLIENT_SECRET=[REDACTED]
SHAREPOINT_PICKER_TENANT_ID=f___
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://___.sharepoint.com/AllSites.Read
SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All

Proxy Configuration (Cloudflare tunnel)

TRUST_PROXY=1
COOKIE_SECURE=false

Debug

DEBUG_OPENID=true
```

librechat.yaml Configuration

```yaml
fileConfig:
sources:
- "sharepoint"
- "local"
```

Azure App Registration Configuration

App Details

• App ID: ___
• Tenant: onmicrosoft.com ()
• Type: Multi-tenant (Any organizational directory)

Exposed API

• Application ID URI: `api://___`
• Custom Scope: `access_user` (Delegated, Admin consent granted)

API Permissions (All granted with admin consent)

Microsoft Graph (Delegated):

• Files.Read.All
• Sites.Read.All
• User.Read
• openid
• profile
• email
• offline_access

SharePoint (Delegated):

• AllSites.Read

Custom API (ChatGraphIntegration):

• api://____/access_user

Redirect URIs

• https://___

/oauth/openid/callback

Observed Behavior

What Works

1. User clicks "Continue with Microsoft"
2. Azure AD authentication succeeds
3. User is redirected back to LibreChat
4. Dashboard loads normally
5. User can create chats and use normal features

What Doesn't Work

1. User starts a new chat
2. Clicks attachment button (📎)
3. Clicks "From SharePoint"
4. Modal opens with completely blank/white box
5. No loading indicator, no error message, just white

Error Logs (PM2)

```
[GraphTokenService] Failed to acquire Graph API token for user: server responded with an error in the response body
[graphTokenController] Failed to obtain Graph API token: Graph token acquisition failed: server responded with an error in the response body
```

Note: The error message is vague and doesn't include the actual Azure error response.

Analysis

Root Cause

The On-Behalf-Of (OBO) token exchange is failing when LibreChat tries to exchange the user's access token for a Microsoft Graph API token. This prevents the SharePoint picker from accessing SharePoint sites.

Expected Behavior

The SharePoint picker should:

1. Use the stored user token (OPENID_REUSE_TOKENS=true)
2. Exchange it via OBO flow for a Graph API token
3. Use Graph API token to call SharePoint APIs
4. Display user's SharePoint sites in the picker modal

What's Likely Happening

1. User token is stored correctly (authentication works)
2. OBO token exchange request to Azure AD fails
3. Graph API call cannot be made without valid token
4. SharePoint picker receives error and displays blank

Possible Causes

1. OBO flow misconfiguration: The custom API scope (`api://../.default`) may not be correctly configured for OBO
2. Azure token validation: Azure may be rejecting the OBO request due to scope/audience mismatch
3. LibreChat OBO implementation: The OBO implementation may have a bug or missing configuration
4. Error handling: LibreChat may not be properly logging the actual Azure error response

Questions for LibreChat Team

1. OBO Scope Configuration: Should `OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE` use the custom API scope instead of just `user.read`?

2. Error Logging: Can the GraphTokenService error handling be enhanced to log the actual Azure error response? Currently it only logs "server responded with an error in the response body" without details.

3. Required Scopes: What is the exact scope configuration required for SharePoint OBO flow to work? Should the initial `OPENID_SCOPE` include Graph API scopes, or only the custom API scope?

4. Debug Mode: Is there a way to enable more verbose logging for the OBO token exchange process?

5. Multi-tenant: Are there any known issues with SharePoint picker in multi-tenant configurations?

Attempted Troubleshooting

What We Tried

✅ Verified all Azure API permissions granted
✅ Created custom API scope (`access_user`) and added to app
✅ Updated `OPENID_SCOPE` to use `api://.../.default`
✅ Enabled token reuse (`OPENID_REUSE_TOKENS=true`)
✅ Enabled OBO flow (`OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true`)
✅ Verified tenant IDs match across all configuration
✅ Added SharePoint to `fileConfig.sources` in librechat.yaml
✅ Upgraded to latest main branch (from v0.8.1-rc2)
✅ Cleared browser cache completely
✅ Tested in fresh incognito windows
✅ Verified Cloudflare proxy settings (`TRUST_PROXY=1`, `COOKIE_SECURE=false`)

What Didn't Help

❌ Changing tenant IDs
❌ Different scope combinations
❌ Browser cache clearing
❌ Restarting services

Request

Could the LibreChat team please:

1. Provide guidance on the correct configuration for SharePoint OBO flow with custom API scopes
2. Enhance error logging in GraphTokenService to show actual Azure error responses
3. Share working example of SharePoint configuration for multi-tenant Azure AD apps
4. Document the exact scope configuration needed for SharePoint picker to work

Additional Context

• This is a production deployment with working authentication
• All other LibreChat features work perfectly
• SharePoint picker is the only non-functional component
• We have verified Azure app registration configuration multiple times
• Admin consent has been granted for all required permissions

Thank you for any assistance!

[ITProfeska]

Current status of this issue, as on screen shot:

[ITProfeska]

Solved for users in one tenant, for second connected tenant still same error.

[katmai149]

Solution for SharePoint File Picker "White Box" Issue

I had the same problem and found a solution. The root cause is an incomplete OBO (On-Behalf-Of) flow configuration in Azure AD.

The critical points:

1. API Exposition is mandatory - Your app must expose an API:

   • Set Application ID URI: api://<YOUR_CLIENT_ID>
   • Create an OAuth2 Permission Scope with value default
   • Add the app itself as a Pre-Authorized Client (this is the commonly missed step!)

2. OPENID_SCOPE must include the API scope:

   OPENID_SCOPE=api://<YOUR_CLIENT_ID>/default openid profile email offline_access
   

   (Note: /default is the scope name, not /.default!)

3. Configure email claim as "essential" - Otherwise user identification won't work correctly

4. Known limitation: The SharePoint picker does NOT work for guest users (external accounts). The OBO flow is not designed for cross-tenant scenarios. Internal accounts work fine, guests will only see an empty/white box.

I've documented a complete step-by-step guide with Azure CLI commands, Terraform examples, and a troubleshooting section here:
👉 https://xunil.de/posts/librechat-azure-entra-sharepoint/