Auth and your Office AppTarun Chopra

Agenda

OAuth Fundamentals

MSAL Mail Calendar .Net App accessing Graph

Demo

Office-js-HelpersOutlook JS WebApp accessing Graph

Demo

Overview of Single Sign-on API(Preview)

v2.0 Protocols – oAuth2.0oAuth: OAuth (Open Authorization) is an open standard for token-based authentication and authorization It is a standard that applications can use to provide client applications with a ‘secure delegated access’. It is the protocol used by Microsoft Graph API to get access to various workloads like exchange, onedrive, sharepoint etc.

OAuth Client

(Native\Web App)Resource Server

(REST API)

Authorization Server (v2.0 endpoint)

Resource OwnerEnd-User

Bearer Token

The Authorization Server (AAD) is the identity provider. It is

responsible for ensuring the user's identity, granting and revoking

access to resources, and issuing tokens.

The Resource Owner is typically the end-user. It is the party that owns the

data, and has the power to allow third parties to access that data, or resource.

The OAuth Client is your app, identified by its Application Id. It is the app that

the end-user interacts with, and it requests tokens from the authorization

server. The client must be granted permission to access the resource by the

resource owner.

The Resource Server is where the resource or data resides. It trusts the

Authorization Server to securely authenticate and authorize the OAuth Client,

and uses Bearer access_tokens to ensure that access to a resource can be

granted.

Application

Authorization

Endpoint

Token

Endpoint Microsoft Graph API

Sequence Flow

MSAL/Office-Js-helpers

Outlook WebApp accessing GraphOffice-Js-Helpers

Demo

Mail Calendar App accessing GraphMSAL(Microsoft Authentication Library)

SSO Authentication Overview

Components in the Flow

I have a dream.

Microsoft Graph

Azure Converged Endpoint

NW.com

NW.ag

NW

Office StoreNW

Office Application

Add-in

Add-in Service

I have a dream.

Microsoft Graph

Azure Converged Endpoint

NW.com

NW.ag

Office StoreNW

Office Application

Add-in

Add-in Service

Step 1 NW

Components in the Flow

Components in the Flow

I have a dream.

Microsoft Graph

Azure Converged Endpoint

NW.com

NW.ag

NW

Office StoreNW

Office Application

Add-in

Add-in Service

Step 1

Step 2

Components in the Flow

I have a dream.

Microsoft Graph

Azure Converged Endpoint

NW.com

NW.ag

NW

Office StoreNW

Office Application

Add-in

Add-in Service

Step 1

Step 2

Step 3

References

MSAL:

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet

Office-js-helpershttps://github.com/OfficeDev/office-js-helpers

Mail calendar app:

https://github.com/OfficeDev/Interop-REST-Mail-Contacts-Calendar-Sample

SSO https://github.com/OfficeDev/office-js-

docs/blob/Addin_SSO_OpenSpec/reference/shared/office.context.auth.getAccessTokenAsync.md

https://dev.office.com/docs/add-ins/develop/sso-in-office-add-ins

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#daemon-or-server-application-to-web-api

Thank You!Questions?