[Question]: Sharepoint using azure entra facing error

[mansiibm]

Hi I am using the version v0.8.3-rc3 and I wanted to integrate share point to it-

So in my env file I make the config as -

OPENID_REUSE_TOKENS=true

Enable SharePoint file picker

ENABLE_SHAREPOINT_FILEPICKER=true

Your SharePoint tenant base URL

Format: https://[your-tenant-name].sharepoint.com

SHAREPOINT_BASE_URL=https://hidden-name.sharepoint.com

SharePoint scope for the file picker

Replace 'contoso' with your actual tenant name

SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://hidden-name.sharepoint.com/AllSites.Read

Microsoft Graph scope for file downloads

SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All

After setting this - I add the necessary permission to the app also -

And the scopes/permissions are granted also for my org.

Now the option for - sharepoint appears in the UI.

But when I am choosing any option a blank screen is coming up-

and the error in the backend is-

It is failing for everyone with the same message .

I am using the azure entra id as follows for authentication-

OPENID_ISSUER=https://login.microsoftonline.com/hidden/v2.0/
OPENID_SCOPE=openid profile email
OPENID_CALLBACK_URL=/oauth/openid/callback

OPENID_BUTTON_LABEL=Login

Can you please correct me here if I am setting up somewhere wrong.......thanks !!!!

[mansiibm]

Precisely getting the following logs -

{"code":"OAUTH_RESPONSE_BODY_ERROR","error":"invalid_request","error_description":"AADSTS90014: The required field 'iss' is missing from the credential. Ensure that you have all the necessary parameters for the login request. Trace ID: 997c6a32-5644-4dfd-886c-aa86e9645400 Correlation ID: af5e2bff-hidden Timestamp: 2...","level":"error","message":"[GraphTokenService] Failed to acquire Graph API token for user dRj3r-hidden: server responded with an error in the response body","name":"ResponseBodyError","stack":"ResponseBodyError: server responded with an error in the response body\n at checkOAuthBodyError (file:///app/node_modules/oauth4webapi/build/index.js:889:19)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async ...","status":400,"timestamp":"2025-09-09T11:04:15.688Z"}
2025-09-09T11:04:20.440278227Z {"level":"error","message":"[graphTokenController] Failed to obtain Graph API token: Graph token acquisition failed: server responded with an error in the response body","stack":"Error: Graph token acquisition failed: server responded with an error in the response body\n at getGraphApiToken (/app/api/server/services/GraphTokenService.js:80:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n ...","timestamp":"2025-09-09T11:04:20.440Z"}

[mansiibm]

So you are suggesting to remove all the settings for share point and then login again and clear the cache and then again enable the share point settings ?

[mansiibm]

Facing this issue

[mansiibm]

So I did now this way, I disabled the sharepoint settings primarily rhe - reuse_openid_token and the sharepoint_file_picker- to false and then it vanished from the Ui and then I cleared the cache and re-enabled these two and share point did appear then again the screen was blank.

the scope you mentioned- offline_access is it required? if not can you pls correct me with my approach, this login issue happened when I tried setting the MS graph api for group permission thing for agents sharing also.

[R-Vulcan]

Yeah the login loop was my fault my entra users didn't return an email claim by default after login, had to add it in Token Configuration in the App Registration.

I did not have the error you showed here though, make sure you configured your App Registration correctly for token reuse, as described here: token-reuse#azure-entra-id-configuration.

The configured settings for the sharepoint integration should be like mine (redacted values).

#========================#
# SharePoint Integration #
#========================#
# Requires Entra ID (OpenID) authentication to be configured

DEBUG_OPENID_REQUESTS=true

# SharePoint integration will not function without OPENID_REUSE_TOKENS=true as it relies on the on-behalf-of token flow to access Microsoft Graph APIs.
OPENID_REUSE_TOKENS=true

# make sure to include your api default scope and offline_access
OPENID_SCOPE="{Application ID UR}/.default openid profile email offline_access"

# Caching Configuration
OPENID_JWKS_URL_CACHE_ENABLED=true
OPENID_JWKS_URL_CACHE_TIME=600000  # 10 minutes in milliseconds
 
# Azure-specific Configuration
OPENID_ON_BEHALF_FLOW_FOR_USERINFO_REQUIRED=true
OPENID_ON_BEHALF_FLOW_USERINFO_SCOPE=user.read

# Enable SharePoint file picker in chat and agent panels
ENABLE_SHAREPOINT_FILEPICKER=true

# SharePoint tenant base URL (e.g., https://yourtenant.sharepoint.com)
SHAREPOINT_BASE_URL=https://XXX.sharepoint.com/

# Microsoft Graph API And SharePoint scopes for file picker
SHAREPOINT_PICKER_SHAREPOINT_SCOPE=https://XXX.sharepoint.com/AllSites.Read
SHAREPOINT_PICKER_GRAPH_SCOPE=Files.Read.All

[mansiibm]

Thanks a lot for sharing this , will try the above config and scopes , thankyou so much for the help !!!! :)

[delastone1-gif]

Thanks a lot for sharing this , will try the above config and scopes , thankyou so much for the help !!!! :)

did you resolve this ? I am having the exact same issue with the pop up that gives blank result

[mansiibm]

Hey , yes I was able to resolve this yesterday only. Thankyou @R-Vulcan for your kind help :) . If you are using azure pls go to the application registration and pls search for your application . Once location pls select - expose api option and then by default if you try to add the application URL to the app, it will appear as - api:// then set this and add the access_user scope in add scope config and then add it as permission also to include the user_access in delegated permissions. Once done you are good to set the vars from this page- https://www.librechat.ai/docs/configuration/authentication/OAuth2-OIDC/token-reuse#azure-entra-id-configuration . Pls set OPENID_REUSE_TOKENS=true and config needed for share point also. Also when setting in azure you might need to add the client app as well for authorization because azure apps require the auth token for themselves so it should be authorized to create one for itself. Hope this helps , pls let me know if you need help somewhere :) .