Comments (10)
I think, I misunderstood something. In the example, tenant id is placed into issuer so that JWT can be verified by checking issuer (as well as audience). If i place there my office365 user's tenant id, it works okay. However, i am developing a globally available word addin, so different tenants will use the application. In this case, nobody else can verify the jwt. So, I removed issuer verification and it works for anyone now. Is this the correct thing to do ?
from office-add-in-nodejs-sso.
@ardabeyazoglu I not sure if we support SSO for multitenant add-ins. I'll look into this.
from office-add-in-nodejs-sso.
@Rick-Kirkham thanks, i realized that now. A friend with hotmail account couldnt use the addin now. If there is no support for multitenancy with sso, what is the preferred way of accessing onedrive files from addin for different tenants ? Or is it even possible ?
from office-add-in-nodejs-sso.
I'm not sure that we don't support multitenant. The SSO preview program is in an uncertain state right now, so I can't give you any information yet.
This Azure sample says that you can use multitenant, but you need to replace default issuer validation with custom validation to validate against a list of safe tenants. I think this would work to get a token to Microsoft Graph (with which you can access OneDrive files). See this sample for getting access to OneDrive without using SSO: PowerPoint-Add-in-Microsoft-Graph-ASPNET-InsertChart
UPDATE: Subject to the caveat that everything connected with SSO is kind of uncertain right now, I can confirm that we do, in principle, support multitenant with SSO and the Azure sample I pointed you to is the recommended way to handle it. In particular, note in this file how default issuer validation is turned off and custom validation is added: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-multitenant-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs
Also, regarding your friend with the Hotmail account, there is a bug right now in which Microsoft Account credentials may not work with SSO because the consent to the add-in is not being propagated to all the AAD servers.
from office-add-in-nodejs-sso.
Thanks, I ll check out azure sample.
from office-add-in-nodejs-sso.
After digging into documentation and various tests, i found out the problem. The problem is, the example code is supposed to use Azure v2, but it actually uses v1 endpoints to download signing keys. When you sign in with a different tenant, it doesnt download the proper key and can not verify jwt. After changing discoveryUrlSegment
to v2.0/.well-known/openid-configuration
it works fine. In any case, issuer
verification must be disabled of course.
Also, i tried with a personal consumer account (*@outlook.com) and it also worked. I ll try with hotmail as well.
I also found another problem in the example code that might be dangerous. Caching graph token to server storage is implemented as it is for a single tenant. If the app is multi tenant this means, different tenants may access to other tenants' files with the graph api, because there will always be one single graph token cached.
I modified a few lines of code for this, and sent a merge request.
from office-add-in-nodejs-sso.
Have your changes been merged yet? Does not seem like it
from office-add-in-nodejs-sso.
@elrapha Yes, they were merged, or better to say added. You can find it inside multitenant
example.
from office-add-in-nodejs-sso.
@ardabeyazoglu oh yes...i see that now.
How did you dynamically get the tenant id in the multi-tenant architecture? Its not clear. I suppose that would be necessary to verify the issuer?
from office-add-in-nodejs-sso.
@elrapha can you tell me more specifically what you didnt understand? You don't need tenant id in this case, user first login to his account and consent your application so that you get an access token on behalf of him. After that, you download the signing keys for the user's account by using this access token and verify the jwt using those keys. In multitenant/src folder, check server.ts and auth.ts. All i talked about are there.
from office-add-in-nodejs-sso.
Related Issues (20)
- UnauthorizedError: Unable to verify JWT.jwt expired HOT 1
- The scope is not valid HOT 17
- Office.context.auth undefined HOT 4
- Get file from Sharepoint HOT 2
- Does SSO work on Desktop clients? HOT 1
- Add-in is not sideloading in outlook when uploaded as custom add-in HOT 1
- Token version mis match with new App Registration (Preview) HOT 8
- getAccessTokenAsync - Token lacks signature part and can't be decoded HOT 2
- Office.context.auth sometimes undefined HOT 5
- package and deploy word addin in sharepoint catalog HOT 2
- {name : "Internal Error", message : "An internal error has occurred.", code : 5001} When using getAccessTokenAsync HOT 1
- getAccessTokenAsync give me 5013 error in Windows 10 HOT 11
- Can we have a proper readme.md file to follow steps to execute the solution HOT 1
- OfficeRuntime.auth.getAccessToken() always return 13007 error code in a particular tenant HOT 7
- Can Passport now be included in this sample now issues with dynamic keys? HOT 2
- Deploying solution started from this example HOT 13
- Office Online SSO HOT 10
- Error 13006 : An unexpected error occurred in the client. HOT 3
- No access_token response HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from office-add-in-nodejs-sso.