Outlook web add-in calling Microsoft Graph

Question

I'm following office-js-helpers to enable SSO login, and then use the access token to call Graph API.

But, Authentication will open the login windows in a new tab even I have added in manifest.xml

<AppDomain>https://login.windows.net</AppDomain>
<AppDomain>https://login.microsoftonline.com</AppDomain>

Current Result.

Edit:
For SSO login, should it be redirected in the Outlook add-in instead of open a new Web Browser window?

Here is the demo project OutlookOneDriveGraphAddIn.

I want to enable graph api in my Outlook web addin, graph api will need login process, I want to be able request access token in my web addin.

If there is anything unclear, please let me know.

We can help you better, if you can explain what you are trying to achieve and what is the issue, you are facing. Also, please add some code with which we can reproduce the issue, whenever possible. — Outlook Add-ins Team - MSFT, Mar 16 '19 at 07:38
@OutlookAdd-insTeam-MSFT Please check the update. I want to achieve [Create an ASP.NET Office Add-in that uses single sign-on (preview)](https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-aspnet) — Edward, Mar 18 '19 at 01:35
For authentication flows, we recommend using the [Office.js Dialog API](https://learn.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins#use-the-dialog-apis-in-an-authentication-flow). The section of the documentation I linked to describes how to use the API to implement an authentication flow. — Outlook Add-ins Team - MSFT, Mar 20 '19 at 08:35
@OutlookAdd-insTeam-MSFT Is [office-js-helpers](https://github.com/OfficeDev/office-js-helpers) outdate? Is any specific reason we need to re-implement the office.helpers.js to achieve the auth flow? — Edward, Mar 20 '19 at 08:41

score 4 · Accepted Answer · edited Jan 18 '22 at 10:45

There are 2 questions here.

Question #1: For SSO login, should it be redirected in the Outlook add-in instead of open a new Web Browser window?

It should not be redirected in the Office add-in, for the very simple reason that this is against OAuth. With OAuth authentication, you'll have to show user the URL - otherwise you can spoof a UI which looks similar to Microsoft login in your add-in and steal people's credentials. Obviously this is not secure. So instead, when you call the getAccessTokenAsync it should pop-up a dialog, if the user is not signed in. Signing in is handled by Microsoft, which afterwards, the token becomes available through the same method getAccessTokenAsync.

Question #2: How do I get the access token from my add-in?

Refer to the documentation here: https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins#add-client-side-code

Office.context.auth.getAccessTokenAsync(function (result) {
    if (result.status === "succeeded") {
        // Use this token to call Web API
        var ssoToken = result.value;
        ...
    } else {
        if (result.error.code === 13003) {
            // SSO is not supported for domain user accounts, only
            // work or school (Office 365) or Microsoft Account IDs.
        } else {
            // Handle error
        }
    }
});

Do you think it is expected that I got the alert message to allow popup a new window? If popup is expected and reasonable, why the popup windows shows up? Why not open the windows directly without this message? — Edward, Mar 22 '19 at 01:39
Believe it or not, it is expected. The reason for that (I know it looks horrible) - is again a security feature. Hypothetically speaking, if you don't warn the user of the popup from another domain - they can pop-you-out to any malicious website. And they did (years ago, remember the crazy number of popups we used to get surfing the web?) Instead, now - only the same domain popups are allowed without additional ask. There is an alternative way of using the OAuth with office add-ins, but you won't be able to use the SSO - which makes things easier in my opinion. — Mavi Domates, Mar 22 '19 at 08:08
@Edward I'd appreciate the green tick if it qualifies as the answer. — Mavi Domates, Oct 17 '20 at 15:38

score 0 · Answer 2 · answered Mar 20 '19 at 07:12

0

Hey I have gone through the same problem. I was also working on an Outlook Addin which needed access token to request resources from GraphAPI. After long hours of searching, I found the best method possible and had completed the implementation of my Addin.

Try the steps in Access token without user. The way I did was using a nodejs middleware for authentication and its working. Now I can access most of GraphApi resources using this. Hope this helps.

Please note that using this method you should be enabling Application Permissions, not delegated.

answered Mar 20 '19 at 07:12

Seba Cherian

1,755
6
18

The different users need to access their own onedrive files. Could Application Permission work for this scenario? – Edward Mar 20 '19 at 07:21
I don't think so – Seba Cherian Mar 20 '19 at 08:25

Outlook web add-in calling Microsoft Graph

2 Answers2