SPAppToken encryption change breaks SharePoint app

[vvolodin]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

SharePoint Add-ins

Developer environment

None

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• browser version
• SPFx version
• Node.js version
• etc

Describe the bug / error

While preparing to update our SharePoint Add-in to SPFX we started having a new issue. For some reason validation of the SPAppToken started failing in TokenHandler.

'System.NotSupportedException: IDX10634: Unable to create the SignatureProvider.
Algorithm: 'RS256', SecurityKey: 'Null'

After examining the token it now appears to report the algorithm used for its signature as RS256 which is not something that is symmetrically encrypted using our client id as it was for 9 years until now.

Steps to reproduce

1. Create SP Addin
2. Try to login via appredirect.aspx
3. Token validation fails

Expected behavior

Token is encrypted with symmetric algorithm using client secret of our add-in.

[Ashlesha-MSFT]

Hello @vvolodin,
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.
If you don’t receive a reply within two working days, please use this escalation form to escalate.

[Ashlesha-MSFT]

@vvolodin,
At the moment, because the SharePoint Add-in model is deprecated, the creation of new Add-ins is limited in many tenants, and not all environments allow add-in registration anymore. This makes full reproduction of the scenario difficult in Microsoft 365 developer and production environments.

There is no published Microsoft documentation describing a change in SPAppToken signing/encryption behavior, nor any updated guidance indicating that SPAppTokens would switch from symmetric encryption to RS256 signing.

The official documentation still reflects the historical behavior (symmetric encryption with the client secret), and we are checking internally whether the new RS256 signature is:

• an intentional backend change,
• part of a security update, or
• an unintended regression.

We will share updates here as soon as additional information is available.

[vvolodin]

Thank you for your answer. Here's my SPAppToken from yesterday's testing:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InJ0c0ZULWItN0x1WTdEVlllU05LY0lKN1ZuYyIsImtpZCI6InJ0c0ZULWItN0x1WTdEVlllU05LY0lKN1ZuYyJ9.eyJhdWQiOiJmYzQ3MmE0Ni1mOTViLTRjYzgtYjRiMy05M2U2ZDk3MDZlMmQvbG9jYWxob3N0OjQ0MzIwQGUzY2E5NmVhLWJiMGEtNDJmOC1iNDFjLTg1NTIyYjM1MTRkNiIsImlzcyI6IjAwMDAwMDAxLTAwMDAtMDAwMC1jMDAwLTAwMDAwMDAwMDAwMEBlM2NhOTZlYS1iYjBhLTQyZjgtYjQxYy04NTUyMmIzNTE0ZDYiLCJpYXQiOjE3NjQ1OTM5MzMsIm5iZiI6MTc2NDU5MzkzMywiZXhwIjoxNzY0NjIzMDMzLCJhcHBjdHgiOiJ7XCJDYWNoZUtleVwiOlwiSWlOektRcXRaMCtIYjJaMHN4MlB4Y2V0UVM5YzE1dFc5TEhtZ01YL3Jjdz1cIixcIk5leHRDYWNoZUtleVwiOm51bGwsXCJTZWN1cml0eVRva2VuU2VydmljZVVyaVwiOlwiaHR0cHM6Ly9hY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0L3Rva2Vucy9PQXV0aC8yXCJ9IiwiYXBwY3R4c2VuZGVyIjoiMDAwMDAwMDMtMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQGUzY2E5NmVhLWJiMGEtNDJmOC1iNDFjLTg1NTIyYjM1MTRkNiIsImlzYnJvd3Nlcmhvc3RlZGFwcCI6InRydWUiLCJyZWZyZXNodG9rZW4iOiJQQVFBQkN3RUFBQUJsTU56VmhBUFVUckFSemZRaldQdEtWMDRyc3VGRlZVU01SNWhaWDFKdTRYRUpoRzI4endkMUlUTE5ac1BQdmc3dHg5bzBYczhtSU8ydldqYU1RaUZISTlrOXZlWGhqX1BNdldaN1JZdUlVWTZ4eERLRDFiT1BPbFczaWtJdlF1NnZKOUowNzJuUDI2YnRaUnVoZXdKLWtZU1QxNXgwQk4xVzZkaGJOYm1BUTlvTkVCTTZUbU1JWXViUFFOeTVmbzBXbkVFak92NnRGRjVZLV9GY3FMOTg2Tm5GY2dzNkpZZjFnaU10cGZpNWd4S2k2bW01bHlRRGRYNjNId3pqd3Y3dnpOUUxIbGhlem96cEZDUEFoOHM5MXo3bi1DMU9EZzdEZkkwMjJkZU9paUFBIiwidXRpIjoiZUpESENIaWxnRTJMVGowWVMxRUpBQSJ9.VuUSvMsxxOI4MFL8ofnIOT6vSmp2wBKbTwXTT2uUYItvdSDaXJGG-ii8Ook-4q8JNC8qrCr42LdvkOXWNBCQqhjBnw94fk4RVhkPd3h8RnqsKTSvgCT5lt8K2JyrwORv_GeJa5QErgNCtMJfM4T-_si5UUhmJ2lAqmkgCWtUB9rhSm7sYcxrG1ivXHHPXmo7qs5Lw5Fqz6TsdOaHQauoTfh942wVqg1gu58N36xm7l5XbEpVNGn-eQnvtN7D5d9N-tBT8oXc8Bt3sWCnTK_G93wEtem-2-a_iY7_uY5KY3KmyHPi5tfbvKirM2VoTF10bhF8t1yt3ssKjFT3KhEuHQ

We also wanted to re-generate our client secret (last updated February 2025), but the buttons to deal with secrets are greyed out...