5

I'm writing an Add-in for Office365/Outlook. The Add-in runs on a web-server that presents information from a third-party system. I need to make sure it only presents information related to the username (or email address) logged in. I've successfully sent and validated the Exchange identity token on my server, using the PHP example code provided by Microsoft: https://dev.office.com/docs/add-ins/outlook/use-php-to-validate-an-identity-token

My problem is that the identity token does not contain any username or email adress, the closest I get is "msexchuid", but I can't make any sense out of that numeric user identifier in the third-party system.

On the client side the Add-in javascript can get a username and email via "Office.context.mailbox.userProfile", however I don't just want to forward that to my web server as it could be faked.

Is there a way to make the Identity token contain the username/email (that would be great!), or is it possible from my web server's server side PHP script lookup further user details based on the identity token?

Torger
  • 51
  • 3
  • 1
    Great question. We are also struggling to find a clear solution. If Exchange Identity token is supposed to sign in the user, who are we supposed to sign them in as if we don't know who they are. – Peter P. Jul 08 '17 at 01:35
  • I am greatly interested to get solution for this question. In our case, we are striving to have SSO flow for Outlook Web Add-ins. The problem is that, if we are using office.context.auth.getAccessTokenAsync, we cannot deploy it globally in organization through Exchange Admin Center, Exchange Power Shell, or Centralized Deployment (because we are also implementing on-send event). So as Microsoft suggestion, Exchange Identity Token can be alternative. – alfi Jul 21 '18 at 10:14

1 Answers1

0

The id token is used to intend to integrate with third-party application for SSO. As you mentioned that it only include a unique id of Exchange.

As a workaround, we can get from the callback token via the getCallbackTokenAsync method which include the SMTP address directly. And to validate the callback token, we can verify whether we can get the item info with EWS.

For example, there is an ‘parentItemId’ in the callback token. It is same that retrieve the claims from the callback token as id token since there are is JWT token. You can refer to here for more detail.

Then we can use the code below to get the item information from EWS:

   public bool Post([FromBody]EWSRequest request)
   {
        ExchangeService service = new ExchangeService();
        service.Credentials = new OAuthCredentials(request.token);
        service.Url = new Uri(request.ewsURL);

        //get item id from callback token
        var itemId = "";
        Item item = Item.Bind(service, itemId);

        var subject = item.Subject;
        return subject.Length>0;
   }

   public class EWSRequest
   {
        public string token;
        public string ewsURL;
   }

JavarScript : 

Office.context.mailbox.getCallbackTokenAsync(getCallbackTokenCallback)

function getCallbackTokenCallback(asyncResult) {
    var _token = asyncResult.value;
    var _ewsURL = Office.context.mailbox.ewsUrl;

    var serviceEndpoint = "https://localhost:44300/API/token/"

    var postData={ token: _token, ewsURL: _ewsURL }
    $.ajax({
        url: serviceEndpoint,
        type: "post",
        contentType: "application/json",
        data: JSON.stringify(postData),
        success: function (result) {
            var ret = result;
        }
    })
}
Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • I'm a bit confused on how this relates to the Exchange Identity Token process Microsoft describes. It seems you can just use this approach to authenticate and (SSO) user with this token. No? – Peter P. Jul 08 '17 at 02:11
  • Thanks for replying Fei Xue, how does this work in a real world setting? Since Outlook 2016 doesn't share sessions between popup browser windows and the fact that Outlook add-ins are in iframes, the only way to authenticate a user with oAuth Microsoft or Azure SAML is through the Outlook API providing information. But the above example assumes the user has an attached file! What if this add-on is opened from the Home tab in Outlook or doesn't have attachments? – Alex Grande Jul 08 '17 at 17:45
  • I am using this getCallbackTokenAsync in different way which is using Outlook REST API not EWS. First, client send the callback token and restUrl information to backend. Then the backend will call /v2.0/me to get the email address. Then I will use the email address to login to my backend to have SSO flow. I think this will also validate the callback token itself. – alfi Jul 23 '18 at 02:21