Requests by the API to msgraph fail due to "invalid client"

[marrobi]

The App Registration secret/password (?) used by App Service is invalid. This seems to happens after running make auth.

1. We should clarify the difference between App Registration Client Secret and Password - docs?
2. Work out a way forward so that if make auth is the culprit it doesn't immediately cause the API graph calls to stop functioning.

[ross-p-smith]

When make auth creates the API App Registration, it also creates a Service Principal and resets the password each time if the Service Principal already exists. If you do not run make deploy-core afterwards then the password that is in the keyvault will then be out-of-date. Which will result in an "Invalid Client" error.

[marrobi]

We are seeing instances where even after running make deploy-core the issue persists.

The manual work around is to add a client secret to the app registration, add that to the keyvault secret, and update the version in the api app KeyVault reference.

I've fixed manually, run deploy-core again and it breaks.

[marrobi]

Ok, it seems on the first run of deploy core the secret is updated in keyvault, but the API app is not updated. The second run the api secret is updated.

I tried a dependency on terraform, in the api app onto the KV client secret, but that didn't work.

[kolesnykandrii]

Although auth.env was updated after running make deploy-core twice, the keyvault still had the old secret, and had to manually update the keyvault and then the app keyvault reference.