"Get access on behalf of a user" for Outlook add-in

0
votes

I was going through the documentation for Implement single sign-on to your service in an Outlook add-in which talks about SSO sign on for getting authorization. But as SSO token auth is in preview only state and Exchange user identity token cannot be used for O365, I want to know if "Get access on behalf of a user" be used in Outlook add-in for accessing MS Graph API.?

I couldn't find any such documentation for Office add-in's using "Get access on behalf of a user".

Edit 1: I have been using getCallbackTokenAsync to call the Outlook Endpoint API from my add-in. But due to some unexpected behavior of /attachment API, I'm planning to use MS Graph API. My concern in the question is will the "Get access on behalf of a user" authentication flow work in case of an add-in on Outlook Win32, Outlook Mac, Outlook Mobile, Outlook Web.

1
microsoft-graph-apioffice-jsoutlook-web-addins
Can you please provide which platform you are developing this on? Outlook Win32, Outlook Mac or Outlook Web?Outlook Add-ins Team - MSFT
I'm developing this on Outlook Web, planning to support Outlook Win32, Outlook Mac, Outlook Mobile, Outlook Web with the add-in.Sagar Pilkhwal
Does the answer provided below by Mavi DOmates work for you?Outlook Add-ins Team - MSFT
Will the answer provided by Mavi DOmates work on Outlook Win32, Outlook Mac, Outlook Mobile, Outlook Web with the add-in ? I'm in process of setting up the backend server to expose APISagar Pilkhwal
They can - which would makes things even easier. The users would still need to go through the popup experience though (although no consent will be required and the coded logic would immediately acquire the access token)Mavi Domates

1 Answers

2
votes

See the accepted answer to this post: 401 Unauthorized when trying to send emails from EWS Managed API

In essence, if you absolutely need to use the Microsoft Graph, there are ways of doing that without using the SSO mechanism. You can use web-sockets and transmit the access token / refresh token.

Node.JS configuration for this is like:

(In the web-app)

  1. Ask the user to click on a button, for authorizing your app to their account.
  2. Pop out the user to the OAuth login url. (and show a spinner)

(on the webpage)

  1. Setup your redirect / reply url in a way that once it receives the access token (or refresh token if you're using code authentication) it transmits it through the sockets to the user who initiated the sign-in. One way to ensure the mapping is to have a unique GUID put onto the web-app response (in the cookie or as an inline script)

The EWS APIs (there's a method which allows you to make calls to EWS / makeEwsRequestAsync) are quite rich though.