search

OfficeDev / office-js

A repo and NPM package for Office.js, corresponding to a copy of what gets published to the official "evergreen" Office.js CDN, at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.
https://learn.microsoft.com/javascript/api/overview
Other
676 stars 95 forks source link

Unable to use SSO when browser blocks third-party cookies in outlook add-in #4939

Open HugoLd opened 2 weeks ago

HugoLd commented 2 weeks ago

Provide required information needed to triage your issue

I created an add-in (using the new integrated spam reporting feature) on which I need SSO to work.

I configured properly the WebApplicationInfo and everything works fine on most people's browser, but after some clients complaints, I investigated and found out some browsers block third-party cookies by default(brave, but chrome plan to do it by default as well). I'm able to reproduce the problem in chrome when I disable manually the third-party cookies,

As chrome is the main browser and plan to disable them by default, I'm worried about the future of this add-in.

Any workaround ?

Your Environment

Any browser with disabled third party cookies

Expected behavior

Have a way to manage SSO on browser refusing third-party cookies

Current behavior

Authentication doesn't work

Steps to reproduce

Disable third party cookies in the browser Setup an outlook add-in with WebApplicationInfo and call Office.auth.getAccessToken

Context

Some of my users are unable to use the add-in(I can't make them enable third-party manually), but likely in the next years no users will be able to use it anymore. Could be link to this ticket : https://github.com/OfficeDev/office-js/issues/2993

Useful logs

image

shighosh-msft commented 2 weeks ago

Hi @HugoLd, to address the issue with SSO with 3P cookie blocking in the browser, please refer to the following article: https://devblogs.microsoft.com/identity/managed-devices-for-blocked-third-party-cookies/

Also, a long-term solution you can also explore nested app authentication (NAA) - the details are here: https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in

HugoLd commented 1 week ago

@shighosh-msft the NAA looks good but not yet available on the new outlook(one of our main target) and it's suggested not to use it in production for now. As I am reading, I see that chrome started their next phase (disabling third party cookies for all users) on Q3, so it looks like we are running out of time to migrate. Do you have any informations about the planned timeline to support the new outlook ? Just to know if it's a matter of weeks and we should wait or if we have to find something else. The other link didn't seem very suitable for our needs.

neprasad-microsoft commented 6 days ago

Hi @HugoLd We have rolled out support for NAA on New Outlook from 7th October.

microsoft-github-policy-service[bot] commented 2 days ago

This issue has been automatically marked as stale because it is marked as needing author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for your interest in Office Add-ins!