[Outlook](NAA) Sample showing how to pass user identity to network resource #924
Conversation
AlexJerabek
left a comment
AlexJerabek
left a comment
There was a problem hiding this comment.
Went until I got stuck. Please let me know what I'm missing for the Entra admin center.
| - Set **Supported account types** to **Accounts in this organizational directory only**. | ||
| - Select **Register**. | ||
|
|
||
| 1. In the app's registration screen, select the **Expose an API** blade to the left to open the page where you can publish the permission as an API for which client applications can obtain access tokens for. The first thing that we need to do is to declare the unique resource URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps: |
There was a problem hiding this comment.
This was under a submenu for me.
| Open the sample project in Visual Studio Code to configure the code. In the steps below, "ClientID" is the same as "Application ID" or "AppId". | ||
|
|
||
| 1. Open the API/server-helpers/authConfig.js file. | ||
| 1. Find the key `Enter_API_Application_Id_Here` and replace the existing value with the application ID (clientId) of Contoso-Web-API-Server app copied from the Microsoft Entra admin center. |
There was a problem hiding this comment.
When did I go to the Microsoft Entra admin center and register something?
|
|
||
| All APIs must publish a minimum of one scope, also called Delegated Permission, for the client apps to obtain an access token for a user successfully. To publish a scope, follow these steps: | ||
|
|
||
| 1. Select **Add a scope** button open the **Add a scope** screen and Enter the values as indicated below: |
There was a problem hiding this comment.
This list and the next one have different numbering styles. Let's pick one to be consistent.
Also, consider making the "Repeat" step, Step 2. It'll make it more obvious that's an action, instead of informatino text.
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/controllers/todolist.js
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/server-helpers/validation-helper.js
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/routes/index.js
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/SPA/src/fallback/fallbackauthdialog.ts
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/SPA/src/taskpane/taskpane.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Linda Cannon <lindalu@microsoft.com> Co-authored-by: Alex Jerabek <38896772+AlexJerabek@users.noreply.github.com>
Co-authored-by: Linda Cannon <lindalu@microsoft.com>
Co-authored-by: Linda Cannon <lindalu@microsoft.com>
Co-authored-by: Linda Cannon <lindalu@microsoft.com>
| 1. In the **Redirect URI** section, enter the following redirect URIs: | ||
| 1. `http://localhost:3000` | ||
| 1. `http://localhost:3000/redirect` | ||
| 1. `brk-multihub://localhost:3000` |
There was a problem hiding this comment.
How do you enter multiple redirects into this field?
There was a problem hiding this comment.
Okay, so the confusing part to me is that you enter one of these in the setup screen (as shown above), then add two additional URIs through a different interface (as in the screenshot below). The readme makes it seem like you can complete this in one fell swoop.
| 1. In the **Redirect URI** section, enter the following redirect URIs: | ||
| 1. `http://localhost:3000` | ||
| 1. `http://localhost:3000/redirect` | ||
| 1. `brk-multihub://localhost:3000` |
There was a problem hiding this comment.
Okay, so the confusing part to me is that you enter one of these in the setup screen (as shown above), then add two additional URIs through a different interface (as in the screenshot below). The readme makes it seem like you can complete this in one fell swoop.
|
|
||
| Your scopes should appear as shown in the following screenshot. | ||
|
|
||
|  |
There was a problem hiding this comment.
This screenshot should be under step 4, since the reader has already moved on from this pane in the app registrations.
| 1. In the task pane, enter a new task in the text box, and select **Add**. You can enter multiple tasks. | ||
| 1. Select **Get todo list** to get the task list. |
There was a problem hiding this comment.
Getting this error after signing in. FWIW, on the first write attempt, I didn't check "Consent on behalf of the organization" and haven't been reprompted to do so.
Co-authored-by: Alex Jerabek <38896772+AlexJerabek@users.noreply.github.com>
| const token = authHeader.split(" ")[1]; | ||
| req.token = token; | ||
| const validationOptions = { | ||
| audience: authConfig.credentials.clientID, // v2.0 token |
There was a problem hiding this comment.
this doesn't seem to be validating issuer. Follow guidelines at https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validating-tokens, if this really is a single tenant application you can hardcode the issuer, else you need to include tenant id from the token.
| /* global console */ | ||
|
|
||
| export const clientId = "Enter_Application_Client_Id_Here"; | ||
| export const msalConfig = { |
There was a problem hiding this comment.
recommend to specify type as msalConfig: Configuration = {} for better intellisense.
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/controllers/todolist.js
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/controllers/todolist.js
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/controllers/todolist.js
Outdated
Show resolved
Hide resolved
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/API/controllers/todolist.js
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| // Put claims in the request object for downstream use. | ||
| req.authInfo = payload; |
There was a problem hiding this comment.
you could also have this middleware add the userid to the request, so you have a single location that gets the user id
There was a problem hiding this comment.
Nice! I added this change.
Samples/auth/Outlook-Add-in-SSO-NAA-Identity/SPA/src/taskpane/taskpane.ts
Outdated
Show resolved
Hide resolved
What's in this Pull Request?
Shows how to properly handle the identity token and claims in an Outlook task pane add-in (SPA). Replaces the old Exchange token pattern of sending id token to the server API. Instead you use the access token which contains the identity claims for the server to manage a todo database.