Reputation: 183
office.js web add in authenticate to third party web-app
im playing around with the starter outlook web add in template in visual studio 2019.
Need some security advise
inside MessageRead.js I can use Office.context.mailbox.userProfile to get some info about the add in user profile
For example: userDisplayName, userEmailAddress, id, and so much more.
im wondering if its a bad idea to use "id" as a form of SSO authentication method with my third party web application.
I would initially ask the user to authenticate with email+password+ID from Office.context.mailbox.userProfile, then store the ID with the userRecord inside my database.
Next time the user opens the outlook add in it will automatically login with "only" the id from Office.context.mailbox.userProfile
Question is: is this totally unsafe and should not be used ?
trying to avoid the oAuth method and finding more simple approach.
if this is a bad idea, can you show me example of simple secure method.
thank you.
Upvotes: 0
Views: 354
Answers (1)
Reputation:
Recommended way to get user ID and map to user in add-in backend is to get user token and use ID from it. Please refer to docuemntation at https://learn.microsoft.com/en-us/outlook/add-ins/authenticate-a-user-with-an-identity-token
Upvotes: 1
Related Questions
- Possible to use Office add-in SSO without involving server in auth process?
- Outlook Add-in Office-Js Authentication
- how to implement OAuth connection to 3rd party from Outlook Mobile App addin
- Authenticating Outlook WEB Add-in with SSO
- How does an organizational user log into an add-in
- Best way to authenticate a user in outlook office add-in using a magic link
- OAuth2 authentication js client
- Auto Authenticating with Microsoft Office.js Add-ins
- Office Add in not Authenticating to Webapi
- How to store credentials in an Outlook Add-in