Challenges implementing PKCE flow in Outlook Add-In: handling Authorization Code and popup limitations

Question

Hi Microsoft team,

I am currently working on implementing OAuth 2.0 PKCE (Proof Key for Code Exchange) flow in a React.js-based Outlook Add-In. But I have an issue while opening a popup and getting the auth-code from the popup.

Scenario:

1. In the PKCE flow, the /authorize endpoint is called with a code_challenge generated from a code_verifier. This step requires opening a new tab or popup to authenticate the user with their Microsoft credentials.
2. Once the user successfully logs in, an authorization code is returned to the specified redirect_uri.
3. This authorization code must then be exchanged for access and refresh tokens by calling the /token endpoint with the original code_verifier.

Problem:

In the context of an Outlook add-in:

• The authorization step (/authorize) requires a new tab or popup.
• The add-in does not seem to provide a straightforward way to retrieve or control the authorization code from the redirect_uri.
• As outlook add-in do not have control over the popup which is raised/generated from add-in, and no exchange of data from popup to add-in.
• As a result, I am unable to complete the flow by calling the /token endpoint, leaving the process incomplete.

What I Have Tried:

Manual PKCE Flow with Popup:

• Opened a popup to call the /authorize endpoint.
• Attempted to retrieve the authorization code from the redirect_uri, but due to the lack of control over the popup in the Outlook add-in, capturing the authorization code is not possible.

Questions:

1. Is there a recommended approach to implement PKCE flow within an Outlook add-in, given the constraints mentioned above?
2. How can the authorization code returned by the /authorize endpoint be captured securely and used to call the /token endpoint?

Additional Details:

• PKCE parameters (code verifier and challenge) are being generated correctly, but the flow is incomplete due to the inability to handle the authorization code.