Nothing Special   »   [go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exchange identity token - missing clarification(s) #4477

Open
ktvtrifork opened this issue Mar 21, 2024 · 6 comments
Open

Exchange identity token - missing clarification(s) #4477

ktvtrifork opened this issue Mar 21, 2024 · 6 comments
Assignees
Labels
Area: Outlook Feedback on Outlook content Needs: attention 👋 Waiting on Microsoft to provide feedback Type: discussion

Comments

@ktvtrifork
Copy link

Article URL
https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/inside-the-identity-token
(more precisely https://learn.microsoft.com/en-us/office/dev/add-ins/outlook/inside-the-identity-token#identity-token-payload )

Describe the problem
In the section "Identity-token-payload" there are an example of an issuer iss & the appctxsender . However based on the metadata and experimental observation (eg from on prem / o365) AND the example, it would seem that the iss (or appctxsender) is composed of 2 things. The first being the "unique identifier" of the exchange server as the documentation alludes to. The second part (following @) is the Tennent ID on O365 or the domain name for a onPrem exchange server.

Since this is also presented as such in the documentation, it would seem like that is expected, however nowhere in the documentation is this clearly stated. It is also not clear whenever appctxsender / iss is stable across multiple servers on the same domain.

So first and foremost is the format actually "id@{Tennent Id, domain name}"? if so that should be clearly stated. if not, then is this a fluke or subject to change etc.?

Second since the documentation states "A unique identifier for the Exchange server...", is this true for all servers pointing to the same domain / database?

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP label Mar 21, 2024
@AlexJerabek
Copy link
Collaborator

Hi @ktvtrifork,

Thank you for the questions. Can you please clarify your scenario for us? Are you trying to validate the token issuer?

Also, there are some changes coming to this token API. If you can wait a few days, we'll have a formal blog post detailing everything. That should answer all your questions and more.

Let me assign this issue to @besiler to follow up.

@AlexJerabek AlexJerabek added Area: Outlook Feedback on Outlook content Needs: attention 👋 Waiting on Microsoft to provide feedback Type: discussion and removed Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP labels Mar 22, 2024
@ktvtrifork
Copy link
Author

Hi @AlexJerabek,

Thanks for the quick reply :)

What we are trying to achieve is actually to validate that a given user comes from a known domain. With the twist that it should work for older outlook desktop clients as well as OnPrem (hybrid) and O365. which means that the only token we can get is the Exchange identity token, as that is supported all around and way back. Since the Exchange identity token does not include the users email in the claims, we would have to rely on something else. This is where (if stable) the last part (following the @ ) of the iss/appcontextsender is in question. If that is stable and follows the observed convention (to either be a TennentId or a domain name), then that would indeed be a valid way to validate whenever a given user belongs to a given domain.

I willl look forward to this new blog post, where will it be posted exactly? :)

@AlexJerabek
Copy link
Collaborator

Hi @ktvtrifork,

Thank you for the additional information. I'll have @besiler follow up.

The blog will be on the M365 Developer Bloghttps://devblogs.microsoft.com/microsoft365dev/), but I'll be sure to link to it from this issue.

@AlexJerabek
Copy link
Collaborator

Hi @ktvtrifork,

Here is the blog explaining the current state and future of Exchange tokens: https://devblogs.microsoft.com/microsoft365dev/new-nested-app-authentication-for-office-add-ins-legacy-exchange-tokens-off-by-default-in-october-2024/

Given that we are moving to Nested App Auth, I'd advise reworking your authentication logic to no longer use EWS tokens. @besiler and I are happy to answer further questions on this matter on that we've publicly announced NAA.

@AlexJerabek AlexJerabek added Needs: author feedback Waiting for author (creator) of Issue to provide more info and removed Needs: attention 👋 Waiting on Microsoft to provide feedback labels Apr 9, 2024
@ktvtrifork
Copy link
Author

Hi @AlexJerabek
Thanks a lot :)
Interesting, so if I'm getting this right, OnPrem stays the "same", but for office 365 NAA would be the solution, correct?

Which means that to support both OnPrem and office 365, we would need to implement both solutions. (NAA & Exchange identity tokens)

Which brings up the previous questions about the format of the Exchange identity token:

  1. is appctxsender composed of a "unique identifier"@domain ?
  2. is the "unique identifier" unique per exchange server or per domain?

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: attention 👋 Waiting on Microsoft to provide feedback and removed Needs: author feedback Waiting for author (creator) of Issue to provide more info labels Apr 10, 2024
@AlexJerabek
Copy link
Collaborator
AlexJerabek commented Apr 17, 2024

Hi @ktvtrifork,

Sorry for the delayed response in tracking down the answers to your questions. First, yes, your summary of the NAA update is accurate - On Prem stays the same.

is appctxsender composed of a "unique identifier"@Domain ?

Generally speaking, "Appctxsender" denotes what app created the "appctx". For the Exchange Identity Token this should be always "ExchangeAppID@Tenant", meaning Exchange itself created it in a particular deployment.

is the "unique identifier" unique per exchange server or per domain?

The unique identifier is a GUID, so you should be able to rely on it being unique. I will continue to try and verify this internally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Outlook Feedback on Outlook content Needs: attention 👋 Waiting on Microsoft to provide feedback Type: discussion
Projects
None yet
Development

No branches or pull requests

3 participants