search

OfficeDev / office-js

A repo and NPM package for Office.js, corresponding to a copy of what gets published to the official "evergreen" Office.js CDN, at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.
https://learn.microsoft.com/javascript/api/overview
Other
683 stars 95 forks source link

Outlook NAA GA questions: Enable SSO in an Office Add-in using nested app authentication (preview) #4712

Closed hello-chenchen closed 1 month ago

hello-chenchen commented 3 months ago

we notice New Nested App Authentication for Office Add-ins: Legacy Exchange tokens off by default in October 2024 and Enable SSO in an Office Add-in using nested app authentication (preview). and we have a few question here:

What confuses me is that acquireTokenSilent always needs to pop up an authorization window before returning the access token. After reading the following article, I found that this seems to be inevitable. https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-acquire-token?tabs=javascript2 So, my question is whether such a change is must and always be accompanied by the customer needing to receive a pop-up authorization window from time to time before being able to proceed.

If so, this seems to be a very different behavior for the smooth transition of customers (compared to getCallbackTokenAsync). I am very worried that it will confuse and cause customers to complain. By the way, in my side: From a customer's perspective, I hope this pop-up window only appears when the IT admin authorizes it. It would be best if the user never needs to know about its existence.

And here is my test result in different platform.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

Platform | Result -- | -- Mac Outlook Old & New | Pop up for only first time Win32 Outlook | Pop up every time OWA on Chrome | Pop up for only first time in 24 hours OWA on Edge/Safari | Error, not available pop up

And here is the gif recording: Win32 Outlook: Win32Outlook1

Mac Outlook: MacOutlook

OWA for chrome: OWA Chrome

OWA Edge: OWA Edge

Here is the research code for getting original start time in an occurrence.

And the client id is what we used(28da465e-7729-4caa-a29b-0201166cc364) which is Enable single sign-on (SSO) in an Office Add-in what we used in addin manifest: image

Here is the APP owner’s configure: image image

Here is the APP admin user's configure: image

for the code segment:

async function getItemId() {
    return new Office.Promise(function (resolve) {
        if (Office.context.requirements.isSetSupported('Mailbox', '1.8')) {
            Office.context.mailbox.item.getItemIdAsync(function(result) {
                if(Office.AsyncResultStatus.Succeeded == result.status) {
                    resolve(result.value);
                } else {
                    resolve(null);
                }
            });
        }
        else {
            resolve(null);
        }
    });
};

async function getOriginalStartTime() {
    var resolve = null;
    try {
        const itemId = await getItemId();
        if (null === itemId) {
            resolve = null;
        } else {
            if (Office.context.requirements.isSetSupported('Mailbox', '1.5')) {
                setTimeout(() => {
                    console.log("waiting getCallbackTokenAsync timeout.");
                    resolve = null;
                }, 10000);
                // graph api
                const pca = await createNestablePublicClientApplication({
                    auth: {
                        clientId: "28da465e-7729-4caa-a29b-0201166cc364",
                        authority: "https://login.microsoftonline.com/common"
                    },
                });
                console.log('pca: ', pca, pca.getAllAccounts().length, JSON.stringify(pca.getAllAccounts()));
                // Specify minimum scopes needed for the access token.
                const tokenRequest = {
                    scopes: ["[User.Read](http://user.read/)", "openid", "profile", "[Calendars.Read](http://calendars.read/)"],
                };

                if (pca.getAllAccounts().length > 0) {
                    tokenRequest.account = pca.getAllAccounts()[0];
                }
                let accessToken = null;
                // TODO 1: Call acquireTokenSilent.
                try {
                    console.log("Trying to acquire token silently...");
                    const userAccount = await pca.acquireTokenSilent(tokenRequest);
                    console.log("Acquired token silently.");
                    accessToken = userAccount.accessToken;
                } catch (error) {
                    console.log(`Unable to acquire token silently: ${error}`);
                }

                // TODO 2: Call acquireTokenPopup.
                if (accessToken === null) {
                    // Acquire token silent failure. Send an interactive request via popup.
                    try {
                        console.log("Trying to acquire token interactively...");
                        const userAccount = await pca.acquireTokenPopup(tokenRequest);
                        console.log("Acquired token interactively.", userAccount);
                        accessToken = userAccount.accessToken;
                    } catch (popupError) {
                        // Acquire token interactive failure.
                        console.log(`Unable to acquire token interactively: ${popupError}`);
                    }
                }

                // TODO 3: Log error if token still null.
                if (accessToken === null) {
                    console.error(`Unable to acquire access token.`);
                    return;
                }

                console.log(`Access token: ${accessToken}`);
                var restId = self.convertToRestId(itemId);

                // for public graph replace PropertyId to id
                var filterString = "?$select=originalStart";
                var baseUrl = 'https://graph.microsoft.com/';
                if (0 === baseUrl.length || 0 === restId.length) {
                    console.log("exception :getRestUrl or restId failed");
                    resolve = null;
                }

                var getMessageUrl = baseUrl + '/v1.0/me/events/' + restId + filterString;
                var authHeader = { 'Authorization': 'Bearer ' + accessToken };
                resolve = await get(getMessageUrl)({}, authHeader);
            } else {
                resolve = null;
            }
        }

    } catch (error) {
        console.error('get original start time: ', error);
        resolve = null;
    }

    return new Office.Promise(function (res, rej) {
        if (resolve) {
            res(resolve);
        } else {
            rej({});
        }
    });
}
codexeon commented 3 months ago

based on your recording, it doesn't appear to be using broker based flow for Nested App Auth. There should not be a popup unless user or admin has not previously consented to the scopes you are requesting. Could you validate if you are testing in the Beta Channel with Windows/Mac, and provide the build number?

hello-chenchen commented 3 months ago

hi @codexeon , so much thanks for your reply. and as you can see, i pasted my code segment in above. and i was follow https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-acquire-token?tabs=javascript2 and https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in in the document. Do you mind paste your test code here, and give some suggestion. really thanks for it!

And my test environment is also stable build. Mac version:

image

Win32 version:

image

OWA is always lastest i think.

codexeon commented 3 months ago

The Win32 build you are using likely does not have Nested App Auth support. It requires being in the preview channel as documented here: https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in. I would expect a build 16.0.17925.20000 or later if you were to update to the latest preview today. For Mac/OWA your NAA should have support in new Outlook, however. When you mention a popup only the first time, is it for sign-in or to consent to permissions? I would expect a popup required to consent to permissions, if you haven't previously in another session, but not for a sign-in. If you are seeing that popup window to login without consent on every endpoint, it is likely an issue in the add-in JavaScript. https://github.com/OfficeDev/Office-Add-in-samples/blob/main/Samples/auth/Outlook-Add-in-SSO-NAA/src/taskpane/authConfig.ts is our sample that shows how to get additional logging from msal-browser for further diagnostic (set enableDebugLogging to true). If you enable the logging, you should be looking for a message "Nested App Auth Bridge available: true" in console. If you see "Nested App Auth Bridge available: false", the host does not support Nested App Auth. If you don't see the message at all, msal-browser is not trying to use Nested App Auth.

hello-chenchen commented 3 months ago

hi @codexeon , thanks your reply. sorry to see it later. i use this example: https://github.com/OfficeDev/Office-Add-in-samples/blob/main/Samples/auth/Outlook-Add-in-SSO-NAA. And it works. but as you said, I would expect a popup required to consent to permissions, if you haven't previously in another session, but not for a sign-in. So, it will also popup a permission dialog, if haven't previously in another session right? if so, do you know if there is some way for not popup that dialog? cause, as you know for Legacy Exchange tokens, there is no need popup dialog. it very silent for users. But, when we switch the NAA, if user must popup a dialog, i think that's too confuse for user. By the way, there is an admin consent on AAD app, But it still need the admin to consent also, not silent, do we have more silent way? https://learn.microsoft.com/en-us/entra/identity-platform/v2-admin-consent

davidchesnut commented 2 months ago

Hi @hello-chenchen,

The NAA will pop up a dialog if SSO won't work. For example, it needs user consent, or 2FA, or the Office client does not support NAA SSO. It does seem confusing that it can pop up a dialog even though you called acquireTokenSilent, but this is the by design behavior. Especially coming from Exchange token SSO behavior. You could follow up with the Microsoft identity team with suggestions for your scenario at https://learn.microsoft.com/entra/identity-platform/developer-support-help-options#share-your-product-ideas

There is an admin consent URI you can provide to tenant admins so they can consent to your add-in and avoid users having to see that dialog. https://learn.microsoft.com/entra/identity-platform/v2-admin-consent

You can also streamline admin consent by specifying the WebApplicationInfo.id property in the unified app manifest. Then admins can consent as part of the deployment UI. Unfortunately this won't work in the XML version of the schema. So don't use WebApplicationInfo with the scopes in the XML version as it may or may not work. It's not a supported manifest mechanism for NAA SSO. It's only for the OBO SSO flow.

Hope this helps, David

davidchesnut commented 1 month ago

Hi @hello-chenchen,

A correction to my previous post. NAA will not pop up a dialog when calling acquireTokenSilent. There was a bug at one point where this would happen. Can you please let us know if you still see this behavior because it shouldn't be there now.

Thanks! David

microsoft-github-policy-service[bot] commented 1 month ago

This issue has been automatically marked as stale because it is marked as needing author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for your interest in Office Add-ins!

microsoft-github-policy-service[bot] commented 1 month ago

This issue has been closed due to inactivity. Please comment if you still need assistance and we'll re-open the issue.