Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAA fails with a "ServerError" in Mac #5209

Open
barclayadam opened this issue Dec 18, 2024 · 5 comments
Open

NAA fails with a "ServerError" in Mac #5209

barclayadam opened this issue Dec 18, 2024 · 5 comments
Assignees
Labels
Area: authentication Issue related to authentication Area: Outlook Issue related to Outlook add-ins Needs: author feedback Waiting for author (creator) of Issue to provide more info Status: no recent activity Issue or PR is stale (no recent activity)

Comments

@barclayadam
Copy link

Using NAA on a Mac results in an error being thrown that provides no useful information:

16:35:59 [messageCompose] [DBG] NestedAppAuth is supported, attempting to acquire token using 3.26
16:35:59 [messageCompose] [INF] [Wed, 18 Dec 2024 16:35:59 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true
16:35:59 [messageCompose] [DBG] [Wed, 18 Dec 2024 16:35:59 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found
16:35:59 [messageCompose] [DBG] [Wed, 18 Dec 2024 16:35:59 GMT] : [] : @azure/[email protected] : Verbose - getAccount: No matching account found, returning null
16:35:59 [messageCompose] [DBG] [Wed, 18 Dec 2024 16:35:59 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: No account passed, active account not set
16:35:59 [messageCompose] [ERR] Unable to acquire token silently: {"errorCode":"","errorMessage":"","subError":"","name":"ServerError"}
16:36:08 [messageCompose] [ERR] Unable to acquire NAA token interactively: {"errorCode":"","errorMessage":"","subError":"","name":"ServerError"}

Those logs above are from our add-in that works in OWA, New Outlook and Classic Outlook Task pane (#5208 for a different NAA related issue).

Because the failure appears to be server-side the user will constantly see a popup dialog that never works, we fall back to legacy tokens (for now), and the cycle starts again.

In addition to fixing this bug, any recommendations for handling a situation like this? When NAA simply does not work at all. How should we skip this bad user experience?

Your Environment

  • Platform: Mac
  • Host: Outlook
  • Office version number: 16.92.1027.0
  • Operating System: Mac Sonoma 14.4

Expected behavior

NAA works in Mac

Current behavior

As per description above we get a "ServerError" with no further diagnostic information when attempting to acquire a token.

Steps to reproduce

The below code is how we attempt to acquire a token. This code works on other platforms.

async function tryCreatePublicClientApplication() {
    if (process.env.PUBLIC_ENTRA_APP_ID === undefined) {
        logger.warn('PUBLIC_ENTRA_APP_ID is not set');

        return undefined;
    }

    try {
        return await createNestablePublicClientApplication({
            auth: {
                clientId: process.env.PUBLIC_ENTRA_APP_ID!,
                authority: 'https://login.microsoftonline.com/organizations',
            },

            system: {
                loggerOptions: {
                    logLevel: LogLevel.Verbose,

                    piiLoggingEnabled: process.env.NODE_ENV === 'development',

                    loggerCallback: (logLevel, message) => {
                        switch (logLevel) {
                            case LogLevel.Error:
                                logger.error(message);
                                break;

                            case LogLevel.Warning:
                                logger.warn(message);
                                break;

                            case LogLevel.Info:
                                logger.info(message);
                                break;

                            case LogLevel.Verbose:
                                logger.debug(message);
                                break;
                        }
                    },
                },
            },
        });
    } catch (err) {
        logger.error('Unable to create NAA application: %e', err);

        return undefined;
    }
}

async function getNaaToken(): Promise<string | undefined> {
    if (!Office.context.requirements.isSetSupported('NestedAppAuth', '1.1')) {
        logger.info('NestedAppAuth is not supported');

        return undefined;
    }

    logger.debug('NestedAppAuth is supported, attempting to acquire token using 3.26');

    const pca = await tryCreatePublicClientApplication();

    if (pca === undefined) {
        return undefined;
    }

    const tokenRequest = {
        scopes: ['openid', 'profile'],
    };

    try {
        const userAccount = await pca.acquireTokenSilent( tokenRequest);

        logger.debug('Successfully acquired token silently');

        return userAccount.idToken;
    } catch (error) {
        logger.error(`Unable to acquire token silently: %o`, error);
    }

    // Acquire token silent failure. Send an interactive request via popup.
    try {
        const userAccount = await pca.acquireTokenPopup(tokenRequest);

        logger.debug('Successfully acquired token interactively');

        return userAccount.idToken;
    } catch (popupError) {
        logger.error(`Unable to acquire NAA token interactively: %o`, popupError);
    }

    // Log error if both silent and popup requests failed.
    logger.error('Unable to acquire NAA access token. Will fallback to using getUserIdentityTokenAsync');

    return undefined;
}

Thank you for taking the time to report an issue. Our triage team will respond to you in less than 72 hours. Normally, response time is <10 hours Monday through Friday. We do not triage on weekends.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP label Dec 18, 2024
@exextoc exextoc added Needs: attention 👋 Waiting on Microsoft to provide feedback Area: Outlook Issue related to Outlook add-ins and removed Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP labels Dec 18, 2024
@exextoc exextoc self-assigned this Dec 18, 2024
@davidchesnut
Copy link
Member

Hi @barclayadam,

You need to request at least one Microsoft Graph scope or a scope to your own resource. You only listed openid and profile. These are for the ID token, but you also need to request scopes for an access token. You may see this request work in some platforms but it won't work on all. MSAL requires you to request an access token. For more info, see FAQ tokens section

Cheers,
David

@davidchesnut davidchesnut self-assigned this Dec 18, 2024
@davidchesnut davidchesnut added Needs: author feedback Waiting for author (creator) of Issue to provide more info and removed Needs: attention 👋 Waiting on Microsoft to provide feedback labels Dec 18, 2024
@barclayadam
Copy link
Author

Thank you for your response @davidchesnut, I'm looking into this now. I have no need for any Graph scopes, this is purely for identifying the user so looks like I need to go the custom API scope route.

This does bring up a few bigger issues that I seem to keep running into with Outlook add-ins:

  • The vagueness of documentation. That FAQ says "the request can fail", when actually you mean "The request will fail", but only in some scenarios. Why are these scenarios not documented?
  • The lack of consistency across Outlook clients. This brings up memories of cross-browser development many years ago. Each platform is slightly different that you can have no confidence that an add-in will work platform to platform. If requesting no Graph token results in a hard failure in one place, make it hard fail everywhere.
  • Poor error messages. The number of times an error has resulted in useless codes like "ServerError" or "InternalError" with absolutely nothing extra, no indication of the problem.

These problems sap development and testing time, making working with Outlook add-ins at times frustrating and really unproductive

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: attention 👋 Waiting on Microsoft to provide feedback and removed Needs: author feedback Waiting for author (creator) of Issue to provide more info labels Dec 19, 2024
@barclayadam
Copy link
Author

Hi @davidchesnut,

Can I skip the consent popup in any way? Right now all of our installs across tens of thousands of users authenticate completely silent.

With the change to NAA we will suddenly be popping up a window, without warning (most of our user base would have, in essence, no idea we even exist as an add-in as we silently provide them a signature) asking for consent.

When using the "other" SSO method, we could pre-authorize the Outlook client application to avoid the need for consent, but it appears as the request is now actually made for our own application this would not be possible.

@davidchesnut
Copy link
Member

Hi @barclayadam,

Yes you can get admin consent up front and that way users won't get prompted. We just published an article on different ways to get admin consent here: Publish an add-in that requires admin consent for Microsoft Graph scopes.

For error handling in MSAL.js I recommend taking a look at Handle errors and exceptions in MSAL.js. There's good info about getting to the additional details of an error.

Thanks for the feedback! I encourage you to share this feedback in the https://github.com/AzureAD/microsoft-authentication-library-for-js repo for the msal-browser team to see.

Thanks!
David

@davidchesnut davidchesnut added Area: authentication Issue related to authentication Needs: author feedback Waiting for author (creator) of Issue to provide more info and removed Needs: attention 👋 Waiting on Microsoft to provide feedback labels Dec 19, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Status: no recent activity Issue or PR is stale (no recent activity) label Dec 23, 2024
Copy link
Contributor

This issue has been automatically marked as stale because it is marked as needing author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. Thank you for your interest in Office Add-ins!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: authentication Issue related to authentication Area: Outlook Issue related to Outlook add-ins Needs: author feedback Waiting for author (creator) of Issue to provide more info Status: no recent activity Issue or PR is stale (no recent activity)
Projects
None yet
Development

No branches or pull requests

3 participants