11

I'm looking for the correct, secure way to store credentials for a third party API in an Outlook add-in. This overview of the different storage options only says not to store credentials in Settings, but not where to put them, so I assumed the RoamingSettings would be okay. Then I ran into this page with information about RoamingSettings, where it says that is not the right location either.

The question then becomes: What is the right place? Should I build my own storage solution and store/encrypt the credentials in a file or cookie? That does not feel very secure either, since we are talking about what is basically a web app running in an Iframe.

Dmitry Streblechenko
  • 62,942
  • 4
  • 53
  • 78
nforss
  • 1,258
  • 1
  • 17
  • 31
  • Can you tell us more about the "third party" API. When you say "third party" I suppose that this not your web app that serves the add-in neither a Microsoft apis (EWS, outlook apis, office365 etc.), correct? How this api secure? Except if it supports only basic authentication, you could be able to retrieve some kind of token or authorization codes that you will have to keep which is far more secure than keeping raw credentials. – Benoit Patra Jan 29 '16 at 12:56
  • You are right that "third party" is perhaps the wrong term. I am referring to our own web API, for which the Outlook add-in is being built. A way to access the service from within Outlook. – nforss Jan 29 '16 at 16:27
  • And the API uses Basic authentication (over SSL). – nforss Jan 29 '16 at 16:28
  • Did you manage to find a solution? – Benoit Patra Feb 04 '16 at 11:44
  • I used HTML 5 local storage, as you suggested, and it seems to be working fine. I'll mark that response as the correct answer. Thank you! – nforss Feb 07 '16 at 17:04

2 Answers2

3

I assume you cannot implement another authorization scheme (token based, cookies etc.) for your API and you are stuck with Basic Authentication and its issues. If you are using ASP.NET, with all the samples available it could be very easy to add another authentication scheme that is more adapted to web clients (such as Office web add-ins).

Having said that, for me your best option is to use HTML5 storage or cookie storage (if not implemented by browser) to store your credentials.

The fact that the app is iFramed is not really a big deal. Those storages (HTML5: sessionStorage/localStorage) rely on domains separation which means that the storage slots where you will put the credentials will not be be visible by other apps, even those living on the parent iFrame.

You may also consider the fact that you may serve the web add-ins and the apis from the same domain. They are both web applications!

Community
  • 1
  • 1
Benoit Patra
  • 4,355
  • 5
  • 30
  • 53
0

You can do what Outlook itself does for its POP3/SMTP/IMAP4 passwords - use CredRead / CredWrite Windows API functions. The data can only be decrypted under the local Windows account used to encrypt the data, so it cannot be take to a different machine and decrypted.

I don't think you can access these functions from JavaScript. This is for an OWA addin, not the Outlook application, is it?

Dmitry Streblechenko
  • 62,942
  • 4
  • 53
  • 78
  • 1
    We are talking about the Office 365 add-ins (that can still be installed locally), the tools for which were released in 2015. They are HTML applications running a special JS library. More info here: https://msdn.microsoft.com/en-us/library/office/jj220060.aspx – nforss Jan 29 '16 at 16:33
  • Can't help you with the web addins, sorry. I updated the tags of your post. – Dmitry Streblechenko Jan 29 '16 at 16:41
  • The thing is, the new add-ins are not **only** for the Office 365 web client, but can also be used in the Office desktop software. So I don't feel the outlook-web-addins tag is entirely correct. I mostly blame Microsoft for this, though, since they have been re-using the same names (Office Add-in, Office App) for at least three different things for a decade now. It really screws with any Google searches. – nforss Jan 29 '16 at 20:41
  • I agree 100%. And I wouldn't mind finding a good solution myself. HTML 5 Local Storage is probably the best you can do if you want any security. You can use Office.context.roamingSettings, but passwords is probably not something you want to store in the mailbox. – Dmitry Streblechenko Jan 29 '16 at 22:34
  • Actually, renaming the app for Office, add-ins was a bad idea. Calling them web add-ins is not entirely bad because they are *based on* web technologies even they target desktop applications such as the regular Office desktop clients. – Benoit Patra Jan 31 '16 at 13:35