Addin fails to load in trident (Outlook) systems when NAA-SSO authentication is used.

glr0221 commented 3 months ago

I have successfully incorporated NAA-SSO authentication in my addin. I was using this sample as basis for my implementation. Everything was working fine OWA, mobile and outlook clients. However, when I tried to load the addin in TRIDENT windows-outlook clients, my addin could not be loaded.

Expected Behavior

I fully expect that NAA-SSO will not run in trident systems. However, it should not cause for the addin to not be loaded. I tried adding try-catch around 'createPublicClientApplication()' but it does not go into the 'catch' flow.

Current Behavior

Currently, if an addin adds support for NAA-SSO, and follows the sample provided, then the addin won't be loaded in trident systems.

Steps to Reproduce, or Live Example

Link to live example: __ I don't know if this will help in the debugging process, but somehow this can be reproduced using the sample . Just make sure that the target Outlook client is a windows-trident outlook client.

Additional details: Just follow the sample for SSO-NAA. And then make sure to test and load it in a trident outlook instance.

Context

Imagine that you have an addin that runs on a lot of end points. And those endpoints are a mix of the new versions and trident systems. Currently, without NAA-SSO, your addin works great, behaves and functions as designed. Then you update your addin to support NAA-SSO, and it fails to load the trident systems.

Your Environment

Platform [PC desktop, Mac, iOS, Office Online]: Windows 10 PC
Host [Excel, Word, PowerPoint, etc.]: Outlook Trident
Office version number: 16.0.10730.20348
Operating System: Windows 10
Browser (if using Office Online): NA

Useful logs

[ ] Console errors
[ ] Screenshots
[ ] Test file (if only happens on a particular file)

bntv-config commented 2 months ago

Any update in thus issue ?

davidchesnut commented 2 months ago

Hi @glr0221, Unfortunately MSAL v3 (for NAA) won't run on Trident (IE webview). We're working on providing a sample that will show how to fall back to MSAL v2 so that your add-in can still authenticate and run. That is on the backlog.

Thanks! David

glr0221 commented 2 months ago

Hello @davidchesnut . Thanks for your response and for the sample in advance. Very much appreciated.

The other concern I have is the upcoming October 2024 deadline :

Exchange user identity tokens and callback tokens are deprecated and will begin to be turned off in October 2024. We recommend moving Outlook add-ins that use legacy Exchange tokens to nested app authentication.

Are there plans to extend the October 2024 deprecation while NAA still has some issues? Thank you.

davidchesnut commented 2 months ago

The timeline is in our FAQ

So just to help clarify... Only tenants with Current Channel clients will have Exchange tokens turned off in October. And then it will only be tenants we know are not using Exchange tokens. So you shouldn't see add-ins affected yet. In January 2025 is when you'll see all Current Channel tenants having Exchange tokens turned off. So January is definitely when you're going to want your add-in ready.

Cheers, David

glr0221 commented 2 months ago

@davidchesnut Thank you for the timeline and the link explaining it. Looking forward to get the NAA-SSO in place way before the June 2025 deadline.

glr0221 commented 1 month ago

@davidchesnut

Just checking on this item. Do we have a timeline for the msalv2 fallback? Also I have tested a newer version (3.24) with trident outlook. It still crashes on load of the addin. We have 3 months until January, and we really would like to get the NAA-SSO implemented in our code.

Or should I just not support Outlook with trident because it is obsolete?

Thank you for your patience and understanding.

davidchesnut commented 3 weeks ago

Hi @glr0221, We published a sample showing how to support trident fallback here: https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/auth/Outlook-Add-in-SSO-NAA-IE

Also we won't be turning off Exchange Online legacy tokens in any tenant until February. For more information see Nested app authentication and Outlook legacy tokens deprecation FAQ

Hope this helps! David

glr0221 commented 3 weeks ago

Hello @davidchesnut,

Thank you once again for sharing this sample. Sorry for the late response as it is only now that I had the time to test. I tried the sample on a trident environment and ended up with a runtime error :

Uncaught runtime errors:
×ERROR
Syntax error

ERROR
Loading chunk vendors-node_modules_azure_msal-browser_dist_app_PublicClientApplication_mjs failed.
(missing: https://localhost:3000/vendors-node_modules_azure_msal-browser_dist_app_PublicClientApplication_mjs.js)
ChunkLoadError: Loading chunk vendors-node_modules_azure_msal-browser_dist_app_PublicClientApplication_mjs failed.
(missing: https://localhost:3000/vendors-node_modules_azure_msal-browser_dist_app_PublicClientApplication_mjs.js)
   at stop (https://localhost:3000/taskpane.js:208:6809)
   at _callee$ (https://localhost:3000/taskpane.js:271:11)
   at tryCatch (https://localhost:3000/taskpane.js:208:1030)
   at Anonymous function (https://localhost:3000/taskpane.js:208:3000)
   at Anonymous function (https://localhost:3000/taskpane.js:208:1687)
   at asyncGeneratorStep (https://localhost:3000/taskpane.js:209:84)
   at _throw (https://localhost:3000/taskpane.js:210:291)
   at callReaction (https://localhost:3000/polyfill.js:17278:9)
   at Anonymous function (https://localhost:3000/polyfill.js:17303:7)
   at flush (https://localhost:3000/polyfill.js:9252:7)

The Outlook version I was using was the following :

Outlook Semi-annual channel
Version="16.0.10730.20348"

I got this build from one of Microsoft's reference articles.

I hope the logs I sent help in determining the cause and in developing a fix as well.

Thank you.

davidchesnut commented 1 week ago

Hi @glr0221,

Running this sample I see it is not working properly, so I'm investigating how to fix and will follow up soon. Thanks!

OfficeDev / office-js