SPFx causes triple page reload when calling custom API with pending permission grant

[BollietMZK]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• browser version: 137.0.7151.69 (Official Build) (arm64)
• SPFx version: 1.21.1
• Node.js version: 22.16.0

Describe the bug / error

Issue Summary
We have encountered a critical issue affecting multiple tenants since May 2025. Whenever a SharePoint Framework (SPFx) package attempts to retrieve a token from a custom API for which a permission is still pending (neither approved nor rejected), the SharePoint page reloads three times automatically.
This behavior is repeated just once for a period of between 2 and 5 minutes (I don't know exactly, I guess there's a cache) and then refreshes 3 times again on the next navigation.

This behavior occurs systematically and seems to be introduced after the recent change described in the following article: Changes on SharePoint Framework (SPFx) permission grants in Microsoft Entra ID.

Technical Observation
Before each page reload, the following request is made:
GET https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
And include the following payload:

client_id=08e18876-6177-487e-b8b5-cf950c1e598c
scope={application_id_uri}%2F.default%20openid%20profile%20offline_access
[...]

This request results in an HTTP 302 redirect with the following header:
Location: https://{tenant}.sharepoint.com/_forms/spfxsinglesignon.aspx
And includes the following error details in the query string on this Location:

error=invalid_client
error_description=AADSTS650057: Invalid resource. 
The client has requested access to a resource which is not listed in the requested permissions in the client’s application registration.
Client app ID: 08e18876-6177-487e-b8b5-cf950c1e598c (SharePoint Online Web Client Extensibility)
Resource value from request: {application_id_uri}
[...]

Impact

• This issue affects several dozen of our clients.
• Tens of thousands of users are impacted by the page reload loop.
• It severely disrupts the user experience and functionality of our SPFx solutions.

Steps to reproduce

1. Create a basic HelloWorld SPFx project of type ApplicationCustomizer using SPFx version 1.21.1.
2. In the package-solution.json file, add a custom API permission under the webApiPermissionRequests section (e.g., for a custom Entra ID app).
3. In the HelloWorldApplicationCustomizer.ts file, retrieve a token for the custom API using the following code:

export default class HelloWorldApplicationCustomizer extends BaseApplicationCustomizer<IHelloWorldApplicationCustomizerProperties> {
  public async onInit(): Promise<void> {
    Log.info(LOG_SOURCE, `Initialized ${strings.Title}`);

    const tokenProvider = await this.context.aadTokenProviderFactory.getTokenProvider();
    const token = await tokenProvider.getToken("{application_id_uri}");
  }
}

4. Build and package the solution.
5. Upload the .sppkg file to the App Catalog, deploy it, and ensure it is enabled by default.
6. Important: Do not approve or reject the API permission request in the SharePoint Admin Center.
   
7. Navigate to a SharePoint page and observe the behavior: the page refreshes three times automatically each time getToken() is called.

Expected behavior

The page should remain stable and handle the permission request gracefully without causing reloads, even if the permission is pending.

[Amey-MSFT]

Hello @BollietMZK,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

[Amey-MSFT]

Hello @BollietMZK,
We were able to reproduce the issue, and we are investigating it. We have logged this as a bug, and our engineering team will look into it.
Thank you!