Challenges implementing PKCE flow in Outlook Add-In: handling Authorization Code and popup limitations

Suraj Sinha 5 Reputation points
2024-12-24T10:54:08.8433333+00:00

Hi Microsoft team,

I am currently working on implementing OAuth 2.0 PKCE (Proof Key for Code Exchange) flow in a React.js-based Outlook Add-In. But I have an issue while opening a popup and getting the auth-code from the popup.

Scenario:

  1. In the PKCE flow, the /authorize endpoint is called with a code_challenge generated from a code_verifier. This step requires opening a new tab or popup to authenticate the user with their Microsoft credentials.
  2. Once the user successfully logs in, an authorization code is returned to the specified redirect_uri.
  3. This authorization code must then be exchanged for access and refresh tokens by calling the /token endpoint with the original code_verifier.

Problem:

In the context of an Outlook add-in:

  • The authorization step (/authorize) requires a new tab or popup.
  • The add-in does not seem to provide a straightforward way to retrieve or control the authorization code from the redirect_uri.
  • As outlook add-in do not have control over the popup which is raised/generated from add-in, and no exchange of data from popup to add-in.
  • As a result, I am unable to complete the flow by calling the /token endpoint, leaving the process incomplete.

What I Have Tried:

Manual PKCE Flow with Popup:

  • Opened a popup to call the /authorize endpoint.
  • Attempted to retrieve the authorization code from the redirect_uri, but due to the lack of control over the popup in the Outlook add-in, capturing the authorization code is not possible.

Questions:

  1. Is there a recommended approach to implement PKCE flow within an Outlook add-in, given the constraints mentioned above?
  2. How can the authorization code returned by the /authorize endpoint be captured securely and used to call the /token endpoint?

Additional Details:

  • PKCE parameters (code verifier and challenge) are being generated correctly, but the flow is incomplete due to the inability to handle the authorization code.
Outlook
Outlook
A family of Microsoft email and calendar products.
4,218 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,651 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,362 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,644 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2024-12-24T12:48:48.61+00:00

    Implementing OAuth 2.0 PKCE flow in an Outlook Add-In can be tricky, especially when handling authorization codes and popup limitations. It's important to ensure that you're securely capturing the authorization code from the redirect URI. You may want to consider reviewing how popups interact within the add-in environment, as it can sometimes cause issues in completing the flow. For more on securing your authentication processes and checking relevant records, you can also explore resources like Arrests-in.org for additional insights into background checks and criminal history.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.