Deeplink redirect on Microsoft 365 after external OAuth

[gazben]

During our app certification we received a report, that our external OAuth solution is not working with the Microsoft 365 app. With the new extended platform our application should work the same way in the Teams and Microsoft 365 (Office) apps.

All the documentation that I could find used this deeplink template:

msteams://teams.microsoft.com/l/auth-callback?authId=$authId&result=$result"

With this, the Office 365 application won't recognize the redirect and will open the wrong application. How to do a proper deeplink redirect with Microsoft 365 (Office) if we are using our own OAuth solution?

[ghost]

Hi gazben! Thank you for bringing this issue to our attention. We will investigate and if we require further information we will reach out in one business day. Please use this link to escalate if you don't get replies.

Best regards, Teams Platform

[sayali-MSFT]

@gazben - Thanks for reporting your issue. We will check this at our end and will get back to you.

[gazben]

@sayali-MSFT Do you have any update on this?

[sayali-MSFT]

@gazben -Have you check the generated deeplink format? msteams://teams.microsoft.com/l/auth-callback?authId=${state.authId}&result=${req.query.code}

Did you get any error in console?

Ref Doc- https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-oauth-provider#add-authentication-to-external-browsers

[gazben]

@sayali-MSFT Yes, it works for the Teams application. But this will always open the Teams application, even if I initiated the login from the O365 application.

[sayali-MSFT]

@gazben -Thanks for your quick response. We will check this with internal team if it is bydesign behaviour or is there any other way to open link in Microsoft 365 (Office)?

[gazben]

Thank you, please check it internally if this is intentional or not.

[alicialu-MSFT]

Hi @gazben , could you confirm whether you are trying to deploy on O365 on desktop or on browser (office.com)? We've been working on this issue today and have some changes that we are in the middle of documenting.

Can you also try setting isExternal=False when you deploy to O365?

[gazben]

I want to use this where the redirect method is deeplink: on desktop applications and mobile.

On web/browser, the redirect is done by a http redirect to the authentication end page where I call the authentication.notifySuccess() function.

[gazben]

We will use the isExternal=false for now, but this breaks the Google SSO.

[sayali-MSFT]

@gazben - We are checking with the engineering team and get back to you.

[alicialu-MSFT]

Hi @gazben , we're working on a fix for this. Documentation will be updated when this is supported, but for now unfortunately it will not redirect to O365 after Google OAuth. We'll keep you updated -- thanks for bringing this up!

[onmomo]

@alicialu-MSFT do you have any updates on this. This has also been highlighted by the teams submission team during app certification. We can't use isExternal: false as workaround. I was able to reproduce it with iOS Microsoft 365 and iOS Outlook applications. The teams submission team reported the same issue also for Android Outlook Hub app.

[onmomo]

@alicialu-MSFT @sayali-MSFT I think I figured it out myself. Please update the docs, they are outdated and misleading to achieve auth flow with isExternal: true for mobile and desktop clients. (teams, outlook)

// ensure to provide {hostRedirectUrl}
authentication
      .authenticate({
        url: `${window.location.origin}/auth/start.html?oauthRedirectMethod={oauthRedirectMethod}&authId={authId}&hostRedirectUrl={hostRedirectUrl}`,
        width: 970,
        height: 870,
        isExternal: true // browser based login, required for Teams Mobile and Teams 2.0 Desktop to allow secure oAuth authentication
      })

// then use the url provided in `hostRedirectUrl` instead following the MS docs, which only works for teams clients
if (state.oauthRedirectMethod === 'deeplink') {
   // this ensures isExternal flow also works with iOS Outlook and iOS M365 clients and what ever will come I guess.
   const clientRedirectUrl = state.hostRedirectUrl.replace('{result}', req.query.code)
   return res.redirect(clientRedirectUrl)
} 

Unfortunately, this still does not work for M365 Office iOS app because the app does not replace hostRedirectUrl query parameter at all. Whereas the Teams 2.0 macOS and Outlook iOS app do provide the hostRedirectUrl, correctly.

please find the following payloads captured after calling authentication.authenticate()

MS Teams 2.0 (MacOS)

{
  "event": "oauth.init_flow.payload",
  "properties": {
    "authId": "2afea4be-cab0-4cc0-adad-ef5749bffxxx",
    "hostRedirectUrl": "msteams://teams.microsoft.com/l/auth-callback?authId=2afea4be-cab0-4cc0-adad-ef5749bffxxx&result={result}",
    "oauthRedirectMethod": "deeplink"
  }
}

and for M365 office iOS app and Teams mobile app iOS / Android, which fail to replace "{hostRedirectUrl}".

{
  "event": "oauth.init_flow.payload",
  "properties": {
    "authId": "F0C5F60F-8182-47C8-941D-4B784E0B8xxx", <--- interesting that the authId is all upper case this time
    "hostRedirectUrl": "{hostRedirectUrl}", <--- this is the issue, should contain url scheme pointing to the actual app
    "oauthRedirectMethod": "deeplink"
  }
}

Could you provide us with a valid redirect link to M365 office mobile app to work around the problem? We need to get going with the app teams store validation, which is currently blocked by this issue.

[ChetanSharma-msft]

Hello @onmomo - Thanks for raising your query. We are checking this with engineering team and let you know the updates.

[onmomo]

@ChetanSharma-msft do you have any updates on this? As I understand, the MS Teams mobile app (iOS/Android) and the M365 office mobile app do not implement the external OAuth flow as required since teams-js 2.11.0. The apps in question do not replace the parameter hostRedirectUrl with a url to redirect to the corresponding client and just provide the {placeholder}.

Please find this table that documents my findings. We are using teams-js:2.19.0, manifest version 1.13.

MS App (latest version)	supports hostRedirectUrl parameter
Teams Mobile iOS / Android	does not replace parameter
M365 Office Mobile iOS / (maybe Android)	does not replace parameter
Outlook Mobile iOS / Android	does support parameter
Teams 2.0 MacOS Desktop	does support parameter
Outlook Windows 11 Desktop ( 1.2024.319.300 (Production)	does not support parameter

This is blocking the teams validation of our apps, please advise.

[vikramtha]

@onmomo Hey, I am reading over your comments, thank you for the table. I'm guessing that in the first comment you had mistakenly mentioned Teams iOS/Office iOS in the wrong places. You mentioned initially that Teams iOS does replace hostRedirectUrl and then later said it doesn't.

I'm guessing this table is the updated truth as it matches up with what I am understanding as well.

I'll go ahead and talk with some people to update the documentation and investigate more into the mobile not replacing hostRedirectUrl.

[onmomo]

@vikramtha yes correct, thanks for pointing that out. The misleading comment is now updated, the table represents what we observed so far in our logs. Looking forward to your findings, thank you! 🙏

[vikramtha]

@onmomo Okay I reached out to the M365 iOS team and they will start fixing the bug. No current eta as of now. I'll follow up with Teams shortly

[onmomo]

@onmomo Okay I reached out to the M365 iOS team and they will start fixing the bug. No current eta as of now. I'll follow up with Teams shortly

@vikramtha do you have any update on this? I'm closely watching the app updates but non of them resolved the issue yet. Maybe it would be possible to provide us with the app deep link url for MS365 mobile apps (e.g for outlook ms-outlook://mos/auth-callback?authId=4A5A1721-D448-4605-8843-F92C9BFC0000&result={result}) in the mean time then we could already implement a workaround until this is fixed in the app

[onmomo]

@vikramtha Just figured out that the Outlook (new) version 1.2024.319.300 (Production) also fails to support the required hostRedirectUrl parameter, it just provides an empty value. I've updated the table.

[vikramtha]

@onmomo Thanks for the heads-up just communicated this with Outlook dev. The Teams Mobile folk btw probably will take a while to update this btw

[vikramtha]

@onmomo Sorry but I followed up with the new Outlook client and unfortunately they do not have an ETA to fix any of this. They are currently working on improving the NAA stack. Since the Outlook Win32 experience works you may want to default to this in the meantime.

[gercobrandwijk]

@onmomo Okay I reached out to the M365 iOS team and they will start fixing the bug. No current eta as of now. I'll follow up with Teams shortly

@vikramtha do you have any update on this? I'm closely watching the app updates but non of them resolved the issue yet. Maybe it would be possible to provide us with the app deep link url for MS365 mobile apps (e.g for outlook ms-outlook://mos/auth-callback?authId=4A5A1721-D448-4605-8843-F92C9BFC0000&result={result}) in the mean time then we could already implement a workaround until this is fixed in the app

Did you already manage to implement a workaround for the platforms where it currently does not work? For the new outlook it is ms-outlook://mos/auth-callback?authId=4A5A1721-D448-4605-8843-F92C9BFC0000&result={result}? What about the mobile apps, these should be deeplinks paths?

[onmomo]

@ChetanSharma-msft do you have any updates on this? As I understand, the MS Teams mobile app (iOS/Android) and the M365 office mobile app do not implement the external OAuth flow as required since teams-js 2.11.0. The apps in question do not replace the parameter hostRedirectUrl with a url to redirect to the corresponding client and just provide the {placeholder}.

Please find this table that documents my findings. We are using teams-js:2.19.0, manifest version 1.13.

MS App (latest version) supports hostRedirectUrl parameter Teams Mobile iOS / Android does not replace parameter M365 Office Mobile iOS / (maybe Android) does not replace parameter Outlook Mobile iOS / Android does support parameter Teams 2.0 MacOS Desktop does support parameter Outlook Windows 11 Desktop ( 1.2024.319.300 (Production) does not support parameter This is blocking the teams validation of our apps, please advise.

@vikramtha do you have any updates on this? I just checked again and the situation changed a little (M365) but it is still not possible to implement isExternal flow with all required Microsoft mobile apps

MS App (latest version)	supports hostRedirectUrl parameter
Teams Mobile iOS / Android	does not replace parameter
M365 Office Mobile iOS (v2.86.1) / (maybe Android)	does provide deepLink now but Safari iOS reports "Safari cannot open the page because the address is invalid" -> msoffice://office.com/l/auth-callback?authId=27E8DAF0-1554-40FB-97E7-D8D123B00X00&result=$code
Outlook Mobile iOS / Android	does support parameter
Teams 2.0 MacOS Desktop	does support parameter
Outlook Windows 11 Desktop ( 1.2024.319.300 (Production)	does not support parameter

We will run a new publish round soonish. Considering this is now open for several months, we would appreciate if MSFT could speed up things a litte, thank you!

[vikramtha]

@onmomo and @gercobrandwijk

I have followed up with the Office Mobile team again as they attempted to fix this but it seems to be still an issue. Waiting on their ETA. I have also followed up with Teams mobile however we have the hardcoded URL in this situation. In terms of the new Outlook experience this is still not on par with the Outlook Win32 experience and so we are still waiting to see when it is possible to fix this issue

[gercobrandwijk]

What is the timeline of the full deployment of the new Outlook experience to all the customers? More and more of our customers are reporting issues that our app does not work within the new Outlook. Will the new Outlook experience not be released till all the Outlook Win32 features are ported?

[onmomo]

@vikramtha do you have any update on this, can confirm that it is still not fixed with the latest M365 iOS app

[vikramtha]

@onmomo Small Update: We are still looking into it as we pushed the fix and redirectURL is being replaced properly but the redirect isn't happening. We will keep fixing this

[vikramtha]

@onmomo The change was merged two weeks ago in M365 iOS so it should be rolling out to everyone very soon. The Android change was merged today and that should be out for the world wide release later this month / early next month

[gercobrandwijk]

That's good new!

Any idea when it will be fixed in the New Outlook on Desktop?

[vikramtha]

@gercobrandwijk The change should be done end of the month so will be reflected early October. Sorry for the delay