Auth and your Office App Tarun Chopra
Auth and your Office AppTarun Chopra
Agenda
OAuth Fundamentals
MSAL Mail Calendar .Net App accessing Graph
Demo
Office-js-HelpersOutlook JS WebApp accessing Graph
Demo
Overview of Single Sign-on API(Preview)
v2.0 Protocols – oAuth2.0oAuth: OAuth (Open Authorization) is an open standard for token-based authentication and authorization It is a standard that applications can use to provide client applications with a ‘secure delegated access’. It is the protocol used by Microsoft Graph API to get access to various workloads like exchange, onedrive, sharepoint etc.
OAuth Client
(Native\Web App)Resource Server
(REST API)
Authorization Server (v2.0 endpoint)
Resource OwnerEnd-User
Bearer Token
The Authorization Server (AAD) is the identity provider. It is
responsible for ensuring the user's identity, granting and revoking
access to resources, and issuing tokens.
The Resource Owner is typically the end-user. It is the party that owns the
data, and has the power to allow third parties to access that data, or resource.
The OAuth Client is your app, identified by its Application Id. It is the app that
the end-user interacts with, and it requests tokens from the authorization
server. The client must be granted permission to access the resource by the
resource owner.
The Resource Server is where the resource or data resides. It trusts the
Authorization Server to securely authenticate and authorize the OAuth Client,
and uses Bearer access_tokens to ensure that access to a resource can be
granted.
Application
Authorization
Endpoint
Token
Endpoint Microsoft Graph API
Sequence Flow
MSAL/Office-Js-helpers
Outlook WebApp accessing GraphOffice-Js-Helpers
Demo
Mail Calendar App accessing GraphMSAL(Microsoft Authentication Library)
SSO Authentication Overview
Components in the Flow
I have a dream.
Microsoft Graph
Azure Converged Endpoint
NW.com
NW.ag
NW
Office StoreNW
Office Application
Add-in
Add-in Service
I have a dream.
Microsoft Graph
Azure Converged Endpoint
NW.com
NW.ag
Office StoreNW
Office Application
Add-in
Add-in Service
Step 1 NW
Components in the Flow
Components in the Flow
I have a dream.
Microsoft Graph
Azure Converged Endpoint
NW.com
NW.ag
NW
Office StoreNW
Office Application
Add-in
Add-in Service
Step 1
Step 2
Components in the Flow
I have a dream.
Microsoft Graph
Azure Converged Endpoint
NW.com
NW.ag
NW
Office StoreNW
Office Application
Add-in
Add-in Service
Step 1
Step 2
Step 3
References
MSAL:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Office-js-helpershttps://github.com/OfficeDev/office-js-helpers
Mail calendar app:
https://github.com/OfficeDev/Interop-REST-Mail-Contacts-Calendar-Sample
SSO https://github.com/OfficeDev/office-js-
docs/blob/Addin_SSO_OpenSpec/reference/shared/office.context.auth.getAccessTokenAsync.md
https://dev.office.com/docs/add-ins/develop/sso-in-office-add-ins
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#daemon-or-server-application-to-web-api
Thank You!Questions?