Excel Addin SSO Token Acquisition Failure for multiple users

[coeguru]

If 2 users are logged in the same browser OfficeRuntime.auth.getAccessToken fails with 13007 errorcode for the second user.

Provide required information needed to triage your issue

Your Environment

• Platform [PC desktop, Mac, iOS, Office on the web]: Office on the Web
• Host [Excel, Word, PowerPoint, etc.]: Excel
• Office version number: 1.1
• Operating System: Mac OS
• Browser (if using Office on the web): Chrome

Expected behavior

We should be able to get the access token for the second user as well.

Current behavior

I am acquiring the SSO token for my excel addin (https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/auth/Office-Add-in-NodeJS-SSO) using OfficeRuntime.auth.getAccessToken.

If I have 2 users logged in the same browser, the getAccessToken fails for the second user who logs in. Eg: I logged in with user1@coeff1.onmicrosoft.com, the fetching of sso token inside the addin succeeds. When i logged in with user2@coeff1.onmicrosoft.com in the same browser, the fetching of the token fails with the following error.

code: 13007
message: "An unexpected error occurred on the server."
name: "Error occurred in the authentication provider."

If I clear the localStorage of oauth.online.office.com , the fetching of the token again succeeds.

Steps to reproduce

1. Complete this project - https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/auth/Office-Add-in-NodeJS-SSO
2. Create 2 user and try to open the addin for both the user one of the another in the same browser.

Link to live example(s)

1. ---

2. ---

3. ---

Provide additional details

1. ---

2. ---

3. ---

Context

If there are 2 users that are trying to open the same addin. the fetching of oauth token fails for the second user.

Useful logs

• [ ] Console errors
• [ ] Screenshots
• [ ] Test file (if only happens on a particular file) Added the following in the manifest and same set of permissions in the azure ad.

  <WebApplicationInfo>
    <Id>8854b8fb-a154-4f2d-8d78-9013f30d6256</Id>
    <Resource>api://localhost:3000/8854b8fb-a154-4f2d-8d78-9013f30d6256</Resource>
    <Scopes>
      <Scope>profile</Scope>
      <Scope>openid</Scope>
      <Scope>email</Scope>
      <Scope>Files.ReadWrite</Scope>
      <Scope>offline_access</Scope>
    </Scopes>
  </WebApplicationInfo>

Thank you for taking the time to report an issue. Our triage team will respond to you in less than 72 hours. Normally, response time is <10 hours Monday through Friday. We do not triage on weekends.

[microsoft-github-policy-service[bot]]

Thank you for letting us know about this issue. We will take a look shortly. Thanks.

[thoffmann-fms]

I'm getting the same error in an Outlook add-in running in Windows Outlook. It was working a awhile back, have not used this feature for a few months. Microsoft® Outlook® for Microsoft 365 MSO (Version 2308 Build 16.0.16731.20182) 64-bit

      const authAccessToken = await Office.auth.getAccessToken({
        allowSignInPrompt: false,
        allowConsentPrompt: false,
        forMSGraphAccess: false,
      });

Running the same Add-In under OWA I get a slightly different error

This is only failing in one of the two test domains I have access to, so not a global issue it appears.

[ZYUN-MSFT]

Hi all, we're still investigating on this, we will update here when we got the information.

Thanks.

[coeguru]

Thanks, we are yet to find a solution for the same.

[ZYUN-MSFT]

Got feedback from the area engineering team:

This is the BY-DESIGN behavior, currently sso don't support account switching.

SSO with Office doesn’t support sign-off. If the user signs out of a session with Office, and then signs in with a different account, your add-in won’t pick up the change and will continue receiving the original user token with additional requests to getAccessToken(). The user will need to close Office, and open a new application instance to reload your add-in and pick up the new user token.

If you still have any concern please go ahead to https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform and ask a new feature request.

Thanks for your support of Office Addin.

[thoffmann-fms]

There is no sign-out going on with my code, only sign-in. And, it only happens with some domains, not all.

[coeguru]

@ZYUN-MSFT , thanks for getting back.

I tried this. In the web version of microsoft365 excel. I logged in with user a@test.onmicrosoft.com and we are able to get the token and addin loads fine.

Now I login with b@test.onmicrosoft.com, We are not able to get the token, which makes sense with what you said.

Now I logout of both a@test.onmicrosoft.com and b@test.onmicrosoft.com, close all the browser tabs and start the new browser and login with b@test.onmicrosoft.com, I am still not able to get the token. It only works if I clear the cache (oauth.online.office.com).

Is there something we can suggest our users to do other than clearing the cache ?

[justin-dw]

Did anyone find a way to logout?