Menu
I'm working on build Office add-in with Adal.js for AAD integration. And my add-in requires some permissions.
When I open add-in in OneNote and try to call login from adal.js, it request login.microsoftonline.com and gives X-Frame-Option Deny error.
I think it's because office add-in running in iFrame, how can I workaround this?
login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&cl…nt-SKU=Js&x-client-Ver=1.0.13&nonce=ced03385-f1ca-4206-bb23-6c3e8338a0d2:1 Refused to display 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_…ient-SKU=Js&x-client-Ver=1.0.13&nonce=ced03385-f1ca-4206-bb23-6c3e8338a0d2' in a frame because it set 'X-Frame-Options' to 'DENY'.
450
You can also use the What If tool to troubleshoot Conditional Access policies. If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information will allow Microsoft support to find the specific event you're concerned about.
Sign-ins are logged with "Conditional Access: Not Applied" if the sign-in fails, but is logged with "Failure" only if an entered password is correct.
Authenticating with OAUTH flow within an office web add-ins is a known issue.The better explanation of the problem can be found here.
Due to the popularity of clickjacking on the internet, it is common to prevent login pages from being display inside frames. The X-FRAME-Options meta tag in HTML makes it easy for providers to implement this safeguard on a widespread or domain/origin-specific basis. Pages that are not “frameable” will not load consistently in an Office add-in
Therefore you need to rely on a popup mechanism. In one word, the authentication flow will be made on a popup to avoid iFraming problems.
The link above is a little bit outdated because it states that popup is a necessary evil. Microsoft awares of this problem proposed recently the dialogAPI to overcome this problem.
Let us get back to our Adal.js problem. I believe that you should stop using adal.js because it was not meant to be used in our add-in web context. Even if they implemented a popup technique. They do not use the dialogAPI when available.
You should try to take benefit of this dialogAPI when available otherwise you will hit many problems (deactivated popup, security regions etc.).
Your best option is to implement your own flow mechanism or use Office-js-helpers as explained in this response
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
