https://mytenant.sharepoint.com/sites/dev/_api/v2.0/sites/{siteId}/lists/{listId}/items/{itemId}/preview returns an HTTP 403 every time using SPHttpClient class from an SPFx Web Part

[FranckyC]

Category

• Bug

Describe the bug

I'm trying to use the SharePoint REST API v2.0 endpoint and especially the https://mytenant.sharepoint.com/sites/dev/_api/v2.0/sites/{siteId}/lists/{listId}/items/{itemId}/preview method to get the preview URL for a document in a SharePoint site from an SPFx Web Part just like the Microsoft Graph counterpart (HTTP POST). I'm following the documentation available here.

When using the url ../driveItem/preview and the SPHttpClient SPFx builtin class, the call returns a HTTP 403 error every time even if I have access to the underlying item.

However, using the exact same url but this time with AadHttpClient works well (HTTP 200). Here is an illustration of the issue:

I precise I didn't grant any specific permissions in my SPFx package-solution.json. Not sure if this is expected since the authentication method is different between the two approaches (Bearer token vs cookie/digest).

Last but not least, the similar call ../driveItem/thumbnails for the same item (HTTP GET) using SPHttpClient works well.

Steps to reproduce

1. In a SPFx Web Part, make a call to https://mytenant.sharepoint.com/sites/dev/_api/v2.0/sites/{siteId}/lists/{listId}/items/{itemId}/preview URL using SPHttpClient.
2. Make the same call with AadHttpClient to see the difference.

Expected behavior

Using /_api/v2.0/sites/{siteId}/lists/{listId}/items/{itemId}/preview endpoint using SPHttpClient should returns an HTTP 200 when user has access to the element.

Developer environment

• SPFx 1.10.0
• Office 365 Developer tenant (not first release)

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[FranckyC]

Update

It seems GET requests are working fine. The issue is only with POST. For the preview I used this instead:

/driveItem/webUrl?preferNoRedirect=true

[JeremyKelley]

In general the cookie auth pattern should be supported, we'll have to take a look at why these specific requests are not working.

Is there a technical limitation for not using the Microsoft Graph client to make the request? That should also provide the functionality you're looking for.

[FranckyC]

Hi @JeremyKelley, thanks for the reply. Actually, not a technical limitation but a business one. In my context, I can't use Graph here because I can't have any permissions at tenant level through SharePoint API requests. Also, I'm already in a SharePoint WP so using REST v2 is also convenient.

[arunakshi]

Is there any update on this? I am also having same issue with POST requests from SPHttpClient. We have preference that to use Sharepoint APIs via SPHttpClient rather than to get approvals for creating permissions to Graph API. I am using following request with POST method: https://[tenantname].sharepoint.com/_api/v2.0/sites/[siteId]/drive/items/8407d069-d1c6-44e7-a6b2-b3fb978f189e/follow and below is the code that I use and I get 403 error:
this.context.spHttpClient.post(url, SPHttpClient.configurations.v1, {}).then((followingItems) => { console.log("Following now: "); resolve("Following now"); }).catch((error) => { console.log(error); reject(error); });

[tylermneher]

Any update here?
@neherdata @thinkula

[github-actions]

Thank you for taking the time to file an issue. We periodically archive older or inactive issues as part of our issue management process, which automatically closes them once they are archived.

If you’d like to understand more about why and how we handle archived (closed) issues, please see Our approach to closed issues.

We appreciate your contribution and if this is still an active issue with the latest SPFx versions, please do resubmit the details. We needed to perform a cleanup, so that we can start with a clean table with a new process. We apologize for the inconvenience this might cause.