Hi,
We are implementing a One Outlook plugin, but we have security concern in the authentication. Referring to https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins using Azure SSO we managed to get the JWT. From the JWT, we want to get the user email address. The recommended key here is "preferred_username". In the response, it looks like that is the only key containing the user email address.
We want to make sure that it is safe to use "preferred_username". We don't want any case to happen where a One Outlook user somehow changes their email address and they can impersonate as other user email address. Referring to https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference we found that "preferred_username" is mutable, and it is not recommended to be used for authorization decisions.
We tried to find other alternative to get the user email address securely, so we tried using Microsoft Graph API. Referring to https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow we exchanged the JWT with Graph API token and call GET https://graph.microsoft.com/v1.0/me. We managed to get the user details with "mail" containing the user email address. But we cannot find any documentation to ensure that this "mail" key is immutable. We found https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0 but that does not clearly explain that the email address is immutable or not.
What is the best practice here? How to get the immutable user email address? Does Microsoft have any recommendation?
Thank you.