Comments (5)
Company C doesn't control the registration, and Company A defined the redirect URIs, so redirection of auth requests containing the response will go to where company A defined - company A webservices hosting the add-in. The Entra ID docs and information would be the best resource for learning more about that part of the platform. I've linked to an Entra ID article that may be of help about security with many best practices: https://learn.microsoft.com/en-us/entra/identity-platform/security-best-practices-for-app-registration
I'm going to close this issue, but feel free to re-open if needed.
from office-js.
@glr0221 Thanks for your questions. Tagging @mattgeim to take a look.
Thanks.
from office-js.
There should be no issues with this - there are a few paths, which both end up being the same (admin consent):
-
The developer can construct an admin-consent URL and share it - more docs here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent
-
If the add-in is being deployed by the admin, which in your example above is the case, there is a link that will be provided in that experience that goes to the admin consent experience.
In both 1 and 2, the consent would be done using the .default scope, which uses the scopes listed in the app registration on Entra. You can read more about that here: https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-default-scope
Feel free to close this issue if this answers your question, @glr0221 - or let us know how we can help clarify / additional details if we did not.
Thanks!
from office-js.
Thank you @mattgeim . Looks like option 1 is the route for me. I still need to test then get back to you as soon as possible. Thank you again.
from office-js.
@mattgeim in a totally different subject, is it possible, that the application ID be abused? For example, consider the following case :
- Company A creates an addin and then registers default permissions for the app in Azure.
- Company B installs the addin and then consents to the default permissions for everyone in his or her organization.
- Malicious Company C then creates a different addin, uses the msal-browser library and uses the entra ID registered by Company A.
- Company D then installs Company C's malicious addin, thinking it is Company's A's addin. They consent to the permissions because the permission splash screen shows the name of Company A's addin.
Is the above flow possible? How does the entra/azure id registration link up with the actual addin it is supposed to work with?
Thank you very much.
from office-js.
Related Issues (20)
- Outlook Online, addFileAttachmentAsync does not work for inline bitmap (.bmp) images HOT 1
- Admin-managed Add-in is *missing* on Outlook for Mac but it is available on Windows and web client HOT 5
- OfficeRuntime.auth.getAccessToken() throws an error on Firefox browser windows 64 bit HOT 3
- Issue with Displaying Drafts with Many Attachments in Outlook Web HOT 2
- Open file larger than 4 mb in online web word HOT 6
- Numbering Styles do not work on WOPI host (CSPP) HOT 5
- Deleted attachment data is shown in the Office API getAttachmentsAsync request HOT 3
- Office theme colors missing or shifted HOT 4
- How to Generate an Email with a Different βFromβ Address in Office.js and Graph API HOT 1
- In formula arguments, ifempty cells are passed as argument, its value is 0 in desktop and null in office web HOT 6
- Office.context.mailbox.item properties are null in Desktop version for recurring events HOT 10
- CRITICAL: No add-ins available in Outlook HOT 5
- Web add-in not loading in old Outlook windows version HOT 5
- Questions about add-in behavior of shared mailboxes HOT 5
- On-Send web addin does not load when new file is created from group HOT 4
- Word web is freezing after executing body.clear() HOT 4
- Closing Smart Alerts dialog does not open specified task pane in Outlook on web. HOT 3
- Legacy Outlook users see 'add-in is unavailable' sporadically with usage
- OnMessageAttachmentsChanged event doesn't get called for each attachment when multiple attachments added to email HOT 1
- Outlook NAA GA questions: Enable SSO in an Office Add-in using nested app authentication (preview) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from office-js.