Authentication different audience with Microsoft Graph using an Access Token from an Outlook Add-In
community!
I am trying to use Office.js' getAccessToken
/ getAccessTokenAsync
to request an Access Token for using Microsoft Graph on-behalf-of the Outlook user using the add-in. In a C# server-side method I use DelegateAuthenticationProvider
and ConfidentialClientApplicationBuilder.AcquireTokenOnBehalfOf()
to request an AccessToken with Outlook's "BootstrapToken". This actually worked a few weeks back!
One problem I have is that the initial page that is opened by the add-in is not the same as the SPA and the backend API. This is because of URL params that are added to the URL by Outlook which are blocked by the host and I cannot change that easily. Because of this, I have an initial redirection inside the add-in to call the other URL.
Therefore the <Resource>
URI in the add-in manifest is also different from the eventual API URI as it has to match with the initial page.
Now my backend started throwing exceptions with the message The user or administrator has not consented to use the application with ID '...' named '...'. Send an interactive authorization request for this user and resource.
The app registration has the relevant Graph permissions configured and granted by the administrator. This worked previously and I didn't notice any change there. Also I tried calling up a user grant URI after which the error was gone but the AcquireTokenOnBehalfOf
request from the backend just didn't get any response at all.
I tried to make basic calls with Postman which previously also worked with the token I got from Outlook, but they stopped working too, giving the error Access token validation failure. Invalid audience.
I decoded the token and another older one I still had and noticed that the new one has the full URI from the manifest's resource tag, while the old one only held a guid as audience. Other attributes are different too, namely the scope is now only access_as_user
instead of all the Graph permissions I declared in the manifest and app registration.
Was there any recent change made to the Office tokens that completely broke my scenario or is this just not possible?
I am happy for any and every advice!