Cookie Auth for Teams App integration & "allow-storage-access-by-user-activation"

[robertmuehsig]

Hi Our app uses cookie auth for authentication and if we integrate our app within teams, some browser (like Firefox) won't store the cookie because of the enhanced protection features. The allow-storage-access-by-user-activation would solve this problem.

Cookie auth seems "simple and secure" enough for our purpose and we don't see any issues on other Microsoft platforms like integrate our app in Office Online. The generated Office Online iframe comes with the needed attribute (see here) and from our point of view this would make sense for Teams as well.

Be aware that there is a related issue, be we don't have the same goal - the allow-storage-access-by-user-activation is just needed for cookie stuff as well.

[ghost]

Hi robertmuehsig! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.

Best regards, Teams Platform

[Meghana-MSFT]

We are looking into this, we will get back to you.

[nwojod-MSFT]

Hi @robertmuehsig, thank you for raising this request. We are still investigating this and will provide an update as soon as possible.

[Galvita]

Hi, I see Error while parsing the 'sandbox' attribute: 'allow-storage-access-by-user-activation' is an invalid sandbox flag message in the Chrome console when I open my Outlook add-in.

This one does not allow me to insert text into in the Outlook web client event field automatically. This problem has appeared recently.

[warenix]

I also faced the same error on outlook web for my developing outlook add-in.

Might be this screenshot could help a bit.

[daniharo]

Any news on this? Chrome is starting third-party cookie phase out in 2024 Q1 and we need access to the Storage Access API to continue using the OAuth provider authentication method. As stated in your docs:

If Experimental third-party storage partitioning is enabled, the third-party authentication fails. The app prompts for authentication repeatedly as the values aren’t stored locally.

This won't be an experimental option anymore, so auth will always fail until we get access to the Storage Access API and ask the browser for permission.

[alicialu-MSFT]

We are working on a solution for third-party cookie auth that will permissioning for the third-party storage access API.

Which OAuth provider authentication method are you using today?

[daniharo]

@alicialu-MSFT Because of our multiple deployments, we sometimes have some problems with the SSO method (getAuthToken()), so we do use that method by default but let our users sign in with Microsoft through a Microsoft Entra ID popup if SSO doesn't work or if they log out. To be able to set our login cookie in that popup we need "allow-storage-access-by-user-activation" in the iframe sandbox attribute.

[alicialu-MSFT]

@daniharo thanks! We plan to add the "allow-storage-access-by-user-activation" in the iframe ASAP.

Can you elaborate on problems on getAuthToken? Are they related to cookies?

[daniharo]

@alicialu-MSFT We are logging the error cause in failureCallback. The most common one is Error: Unable to get access token, but we also see tokenRevoked, An internal server error occurred, Error, Empty token received, User declined to consent permission for this app., CancelledByUser.

[Draginfable]

Hello @alicialu-MSFT, Has there been any progress? Chrome is starting third-party cookie phase out to 1% of the users, so it is important to have this in order to test and adapt our apps. Thank you.

[alicialu-MSFT]

@Draginfable Early March for a rough timeline... apologize for the delay. What authentication library are you using to do 3P cookie auth? MSAL.js?

[Draginfable]

Thank you for providing the timeline. We are using third-party cookies to authenticate with our backend services.

[JorgenEvens]

Has any progress been made on this? Currently allow-storage-access-by-user-activation is still missing from the sandbox attribute.

[vikramtha]

@JorgenEvens this will be available generally on Teams around May 5th. Outlook has integrated these changes and it is probably going through the rings now and No eta on Office yet