Now these issues are resolved,

Looking at
https://github.com/OfficeDev/Office-Add-in-NodeJS-SSO/blob/master/Completed/src/auth.ts

• (mikenicholson/passport-jwt#108)
• (mikenicholson/passport-jwt#94)

Can we please see this sample using the Passport implementation? Now that dynamic keys are useable?

Cheers

Nigel D

Hi,
I follow all the steps given in the example and then when I try to run the add-in in power-point on-line Build:16.0.8812.5630. I got the next error:

Code:5001
Message: An internal error has occurred
name: Internal Error

Any ideas what this is happening? Can I use the SSO in this build version?

Thanks for your help.

Hi, I'm successfully running the completed project locally in Excel on Windows. By following the guide carefully I understood that the SSO should work also on Excel Online. However when I try to run in it there I get the following error:

I can't figure it out what is exactly the problem and where these reply urls can be configured.
I'm developing an add-in locally and I would like to be able to run it on Excel Online since it would be easier for debugging.

Hey there I used this repository to better understand how to set up SSO for a Excel application and I am running across a strange issue.

I got this project working locally on my Mac and then pushed the code for the server and the client side add in to a cloud platform. Then I modified the manifest file to point to the application I have running in the cloud.

With the modified manifest file on my mac everything works fine. I am connecting to this application I have running the cloud and I am able to successfully login via SSO in Excel.

But this is the strange part, when I copied the manifest file that is pointing to my cloud app to a Windows 10 computer and side loaded the manifest file it give me an error when I call getAccessTokenAsync. This is what the result object looks like when I am running the add in on my Windows 10 machine.

{
  "status":"failed",
  "error":{
    "name":"API Call Failed",
    "message":"Invalid input arguments.",
    "code":5013
  }
} 

Since this app is running the cloud I am passing the same input arguments on both the Mac and Windows version (({forceConsent: false}, callback)). I am not sure why it would work on my Mac but not on my Windows 10 machine. I also can't seem to find what exactly this error code is supposed to mean.

Do you know if I need to add something special to the manifest file for the Windows 10 configuration?

I've done this nodejs SSO setup in multiple tenants and never had this problem before. With the same setup, this particular office 365 tenant across all users with different access level can't seem to get the bootstrap token from OfficeRuntime.

Expected Behavior

OfficeRuntime.auth.getAccessToken() should provide add-in with bootstrap token that can be exchanged using on-behalf-of flow to get graph token.

Current Behavior

OfficeRuntime.auth.getAccessToken() returns 13007 error instead

Steps to Reproduce, or Live Example

Follow setup guide to create app registration and set it up with the "Complete" version of the demo app.
Make sure all permissions are already consented by user before running the add-in
Then put a breakpoint after OfficeRuntime.auth.getAccessToken()

Context

I can't get graph token to let the add-in getting information from graph API. This add-in becomes non-functional.

Your Environment

• Platform [PC desktop, Mac, iOS, Office Online]: Office Online
• Host [Excel, Word, PowerPoint, etc.]: Word
• Office version number: not sure how to find out
• Operating System: Windows 10 Pro
• Browser (if using Office Online): Chrome/Edge Chromium

Useful logs

I notice in this particular tenant. Every time OfficeRuntime.auth.getAccessToken() is executed, the log on the word online window display this error log:

authorize:82 
Unsafe JavaScript attempt to initiate navigation for frame with origin 'https://<tenant>-my.sharepoint.com' from frame with URL 
'https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?response_type=token&client_id=<app-id>&resource=api%3A%2F%2F<add-in-domain>%2F<id>&redirect_uri=https%3A%2F%2F<tenant>-my.sharepoint.com%2F_forms%2Fsinglesignon.aspx&state=<id>%7Capi%3A%2F%2F<add-in-domain>%2F<id>&client-request-id=<id>&x-client-SKU=Js&x-client-Ver=1.0.16&prompt=none&login_hint=<user>%40<tenant>.<domain>&domain_hint=<tenant>.<domain>'. 
The frame attempting navigation of the top-level window is sandboxed, but the flag of 'allow-top-navigation' or 
'allow-top-navigation-by-user-activation' is not set.

I've read this from microsoft documentation (https://docs.microsoft.com/en-us/office/dev/add-ins/develop/troubleshoot-sso-in-office-add-ins):
I can confirm that openid and profile permissions have already been added and granted, so that can't be the issue.

another question that might help me identify the issue is "How do i check if the logged in user has a Microsoft Account (MSA) identity?"

And if they do, does that mean these set of users cannot use the SSO until SSO is not a preview feature anymore?

I use this for a Word Add-in and getting Data from graph works fine. But i also try to get a file from SharePoint but get an Unauthorized because the Token is valid for Graph and not for my SharePoint site.

do you have a tipp or idea, how i get the right Token for Sharepoint? i tried to get the token with auth.acquireTokenOnBehalfOf(jwt, ['Files.Read.All'], 'myTenant.sharepoint.com'); but it doesnt work.

Thank you
Dominik

@Rick-Kirkham @ardabeyazoglu

I followed all the steps specified here to test SSO for outlook in local. I uploaded manifest file(attached below) as custom add-in, but when I close the store popup, it not showing up beside store icon.

Current outlook version is: Outlook 2016 version 1803 (16.0.9126.2295)

And here is manifest file:
manifest.txt

I am not sure what I am doing wrong, please help me with this.

Is this supposed to work on desktop clients? I read that getAccessToken is in preview mode for desktop clients. Am I missing some updates to the api? I am building for Outlook

Hi
I lunched complete sample but when my code ran to exchangeForToken in auth.ts and res.json() the values return only { refresh_token: 'xxx', id_token: 'xxx' } no access_token, then i got undefined and can't complete sample.

What is i missed ?

Thank you for your help.

Hello,

I have an error when using getTokenAsync in my Addin for outlook (angular 1.5 + nodejs):
{name : "Internal Error",
message : "An internal error has occurred.",
code : 5001}

I tried a lot of things to get rid of this error but nothing is working.

It was working before, never had this error, I didn't touch the code for 2 months and when I get back I have this.

Thank you in advance for your answer.

Aurélien

Hi I followed the instructions online uploaded the xml on office online however when i click the get one drive files button nothing comes out and i get this error from the console. Please help thank you

I am creating a POC for Outlook add-in SSO. I have followed the complete article and testing the solution but getting basic errors. Not sure if I am doing anything wrong.

Office.context.auth.getAccessTokenAsync({forceConsent: false}, function (result) { if (result.status === "succeeded") { accessToken = result.value; getData("/api/values", accessToken); } else { console.log("Code: " + result.error.code); console.log("Message: " + result.error.message); console.log("name: " + result.error.name); document.getElementById("getGraphAccessTokenButton").disabled = true; } });

I was debugging above block of code and getting Office.context.auth is undefined.

Thanks in advance for your help.

Once I got this to load in PowerPoint, the Add-in doesn't do anything. the "Get my files from OneDrive" just grays out and nothing happens.

Hi,

i wrote an Office-Add-in for Word and use SSO. Sometimes my api calls work fine but most time the Office.context.auth is undefined so i can´t call getAccessTokenAsync.

tried to call it later with a btn click or with Office.onReady().then(() => {...}) but it doesn´t help.

I use Office 365 ProPlus.
Word Version is 1812

Hi,

When I tried to run nodejs-sso example, everything works fine until const {jwt} = auth.verifyJWT(req, {scp: 'access_as_user'}); throws the error jwt issuer invalid. expected: https://login.microsoftonline.com/*****/v2.0. When I checked the expected url and the issuer i placed in the code, they are exactly the same. However, when i decode jwt token i see that iss claim is different than this.

Why do i get a jwt token with a different iss claim ?

NOTE: The iss claim in the decoded token is "https://login.microsoftonline.com/a2b0309e-37c1-486d-bdbd-4d91b7d25cd5/v2.0".

Hi,
I have been working on a solution using the code provided here as a starting point.

I went to turn the solution into a production build by following the steps provided here:
https://docs.microsoft.com/en-us/office/dev/add-ins/publish/publish-add-in-vs-code

but hit issues when trying to run "npm start build", receiving the message:

Have I missed something that has lead to no build being available or do you have a fix?

Hi,
Thank you for this sample :)
I launched the completed version but I have an error in the console when trying to get the OneDrive files :
Error 13006 : An unexpected error occurred in the client. Error occurred in the authentication request from Office.
I tried on Windows Excel and online Excel.
I changed nothing except the application id in the manifest.

Thank you for your help

Hi,

I am newly developing word addin using yo generator and I created a sample task pane javascript addin and it is running absolutely fine when I am starting the node.js server. My query is how can I consume the word addin in word online without starting the server. Can I put the package somewhere in SharePoint site and making a CDN for that. I have no idea how to package resouces. I know we can put the manifest in app catalog for SharePoint online but not sure about how the js files and other files can be packaged and placed.

Can you please guide me on this if you have idea on this.

Thanks,
Himanjan

I completed all the steps. But the "tsc-w": "tsc -p tsconfig.json --watch" command fails with -p flag is included.
Once I get past that step removing -p flag, npm run start results in endless loop.

Hi,

I followed the tutorial with the code in this repo to create a simple office365 word addin, and only changed the ids, secrets etc. however it doesn't work when it attempts to get an access token to retrive drive files.

Here is the url (decoded) of the token request when i check in network:
https://login.live.com/oauth20_authorize.srf?client_id=00000000481710A4&response_type=token&redirect_uri=https://p.sfx.ms/sa.html&state={"client_id":"00000000481710A4","network":"windows","display":"none","callback":"_hellojs_bd2pxupx","state":"","redirect_uri":"https://p.sfx.ms/sa.html","scope":"api://localhost:3000/dad7312f-6ccd-4026-8a80-86441223c790/access_as_user"}&scope=api://localhost:3000/dad7312f-6ccd-4026-8a80-86441223c790/access_as_user

The response says The+provided+value+for+the+input+parameter+'scope'+is+not+valid.+The+scope+'api://localhost:3000/dad7312f-6ccd-4026-8a80-86441223c790/access_as_user'+does+not+exist.`

The app id and resource url are already taken from application config page in developer portal, so they are correct. However, I dont know where the client_id in the url above is coming from.

I'm creating an outlook add-in, and trying to create SSO access. I am getting the app-token, via office.context.auth.getaccesstokenasync and pushing it to a expressjs middleware component, just like in this example here in the repository. Decoding in the auth.ts fails. After having a look at the token itself, it seems invalid as it is one ,-section short.

It works flawlessly in our own tenant (using Addin in Outlook on Win 10):

The token is incomplete in our customers tenant with the same configuration:

Any hint where to look here?

As of now the solution seems pretty difficult whats the start point and all the stuffs for a beginner for Office.js , some steps to run the solution , would be helpful

For this sample I had registered my App in apps.dev.microsoft.com, the getAccessTokenAsync() method returns v2.0 token. Using this token I was able to get graph v2.0 token everything works fine.

When I registered the app under the Azure Portal -> App Registration (Preview), the getAccessTokenAsync() method returns the v1.0 token. So, JWT token validation fails and I am unable to get the graph token.

I would like to know is this going to be v1.0 token in future or is this bug in preview?