Challenges implementing PKCE flow in Outlook Add-In: handling Authorization Code and popup limitations

Suraj Sinha 5 Reputation points
2024-12-24T10:54:08.8433333+00:00

Hi Microsoft team,

I am currently working on implementing OAuth 2.0 PKCE (Proof Key for Code Exchange) flow in a React.js-based Outlook Add-In. But I have an issue while opening a popup and getting the auth-code from the popup.

Scenario:

  1. In the PKCE flow, the /authorize endpoint is called with a code_challenge generated from a code_verifier. This step requires opening a new tab or popup to authenticate the user with their Microsoft credentials.
  2. Once the user successfully logs in, an authorization code is returned to the specified redirect_uri.
  3. This authorization code must then be exchanged for access and refresh tokens by calling the /token endpoint with the original code_verifier.

Problem:

In the context of an Outlook add-in:

  • The authorization step (/authorize) requires a new tab or popup.
  • The add-in does not seem to provide a straightforward way to retrieve or control the authorization code from the redirect_uri.
  • As outlook add-in do not have control over the popup which is raised/generated from add-in, and no exchange of data from popup to add-in.
  • As a result, I am unable to complete the flow by calling the /token endpoint, leaving the process incomplete.

What I Have Tried:

Manual PKCE Flow with Popup:

  • Opened a popup to call the /authorize endpoint.
  • Attempted to retrieve the authorization code from the redirect_uri, but due to the lack of control over the popup in the Outlook add-in, capturing the authorization code is not possible.

Questions:

  1. Is there a recommended approach to implement PKCE flow within an Outlook add-in, given the constraints mentioned above?
  2. How can the authorization code returned by the /authorize endpoint be captured securely and used to call the /token endpoint?

Additional Details:

  • PKCE parameters (code verifier and challenge) are being generated correctly, but the flow is incomplete due to the inability to handle the authorization code.
Outlook
Outlook
A family of Microsoft email and calendar products.
4,308 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,783 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,398 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.