jwt issuer invalid. expected: https://login.microsoftonline.com/******/v2.0 about office-add-in-nodejs-sso HOT 10 CLOSED

I think, I misunderstood something. In the example, tenant id is placed into issuer so that JWT can be verified by checking issuer (as well as audience). If i place there my office365 user's tenant id, it works okay. However, i am developing a globally available word addin, so different tenants will use the application. In this case, nobody else can verify the jwt. So, I removed issuer verification and it works for anyone now. Is this the correct thing to do ?

from office-add-in-nodejs-sso.

@ardabeyazoglu I not sure if we support SSO for multitenant add-ins. I'll look into this.

from office-add-in-nodejs-sso.

@Rick-Kirkham thanks, i realized that now. A friend with hotmail account couldnt use the addin now. If there is no support for multitenancy with sso, what is the preferred way of accessing onedrive files from addin for different tenants ? Or is it even possible ?

from office-add-in-nodejs-sso.

I'm not sure that we don't support multitenant. The SSO preview program is in an uncertain state right now, so I can't give you any information yet.

This Azure sample says that you can use multitenant, but you need to replace default issuer validation with custom validation to validate against a list of safe tenants. I think this would work to get a token to Microsoft Graph (with which you can access OneDrive files). See this sample for getting access to OneDrive without using SSO: PowerPoint-Add-in-Microsoft-Graph-ASPNET-InsertChart

UPDATE: Subject to the caveat that everything connected with SSO is kind of uncertain right now, I can confirm that we do, in principle, support multitenant with SSO and the Azure sample I pointed you to is the recommended way to handle it. In particular, note in this file how default issuer validation is turned off and custom validation is added: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-multitenant-openidconnect/blob/master/TodoListWebApp/App_Start/Startup.Auth.cs

Also, regarding your friend with the Hotmail account, there is a bug right now in which Microsoft Account credentials may not work with SSO because the consent to the add-in is not being propagated to all the AAD servers.

from office-add-in-nodejs-sso.

Thanks, I ll check out azure sample.

from office-add-in-nodejs-sso.

After digging into documentation and various tests, i found out the problem. The problem is, the example code is supposed to use Azure v2, but it actually uses v1 endpoints to download signing keys. When you sign in with a different tenant, it doesnt download the proper key and can not verify jwt. After changing discoveryUrlSegment to v2.0/.well-known/openid-configuration it works fine. In any case, issuer verification must be disabled of course.

Also, i tried with a personal consumer account (*@outlook.com) and it also worked. I ll try with hotmail as well.

I also found another problem in the example code that might be dangerous. Caching graph token to server storage is implemented as it is for a single tenant. If the app is multi tenant this means, different tenants may access to other tenants' files with the graph api, because there will always be one single graph token cached.

I modified a few lines of code for this, and sent a merge request.

from office-add-in-nodejs-sso.

@ardabeyazoglu

Have your changes been merged yet? Does not seem like it

from office-add-in-nodejs-sso.

@elrapha Yes, they were merged, or better to say added. You can find it inside multitenant example.

from office-add-in-nodejs-sso.

@ardabeyazoglu oh yes...i see that now.
How did you dynamically get the tenant id in the multi-tenant architecture? Its not clear. I suppose that would be necessary to verify the issuer?

from office-add-in-nodejs-sso.

@elrapha can you tell me more specifically what you didnt understand? You don't need tenant id in this case, user first login to his account and consent your application so that you get an access token on behalf of him. After that, you download the signing keys for the user's account by using this access token and verify the jwt using those keys. In multitenant/src folder, check server.ts and auth.ts. All i talked about are there.

from office-add-in-nodejs-sso.