I'm building an office.js excel addin.
I have code to try to get the auth info:
Office.context.auth.getAccessTokenAsync(function(result) {
if (result.status === "succeeded") {
// Use this token to call Web API
var ssoToken = result.value;
} else {
if (result.error.code === 13003) {
// SSO is not supported for domain user accounts, only
// work or school (Office 365) or Microsoft Account IDs.
} else {
// Handle error
}
}
when doing this, I get back error 13004, with message "name = "Invalid application resource Url provided.""
my manifest contains:
<WebApplicationInfo>
<Id>a02210cd-88ac-4af6-b6cf-ee79006731c1</Id>
<Resource>api://localhost:8001/a02210cd-88ac-4af6-b6cf-ee79006731c1</Resource>
</WebApplicationInfo>
</VersionOverrides>
I have created an addin app registration on: https://portal.azure.com that has that app id (I tried both 'native' type and 'web' type not being sure which applied to an office addin).
Several people pointed out correctly that the WebApplicationInfo.Resource must match the appId registered in your AD server.
But essentially ALL of my problems had todo with WHICH AD account to login to (I have a personal account and a corporate account, and you use a different portal to access each), and how to setup the manifest on that AD account/application registration on https://portal.azure.com.
There are hundreds of knobs/variables to adjust, and virtually no feedback as to what they mean, or how to adjust them. So I will simply present a WORKING example someone else could use to get this working. I'm not really sure just which knobs/permissions matter.
Here is a working (subset of my application) manifest:
...
<WebApplicationInfo>
<Id>fc63fe86-d03c-4ae9-b520-373fcb386d40</Id>
<Resource>api://localhost:8001/09c94a00-cad9-4af6-ac2c-cdb81a724f16</Resource>
<Scopes>
<Scope>Files.Read.All</Scope>
<Scope>offline_access</Scope>
<Scope>openid</Scope>
<Scope>profile</Scope>
</Scopes>
</WebApplicationInfo>
Note - the 'id' above doesn't appear to matter, but the guid in the Resource MUST match the appid in the app you register. And the rest of the appID must match how you connect to the plugin (for now I just use localhost).
Use the portal https://portal.azure.com to create your app registration:
select "Azure Active Directory" select "App Registrations" Create new App registration ... most of the details probably dont matter because you will replace them all, but I selected type=web
Then use you will want to download your manifest and DIFF it against this one, and keep making changes to your manifest until it matches this one (because of the use of GUIDs in the manifest you cannot simply replace).
{
"id": "1a225d9a-13f5-4ff6-a62d-bdbd819ef5e5",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"allowPublicClient": null,
"appId": "09c94a00-cad9-4af6-ac2c-cdb81a724f16",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2019-03-11T15:45:24Z",
"groupMembershipClaims": null,
"identifierUris": [
"api://localhost:8001/09c94a00-cad9-4af6-ac2c-cdb81a724f16"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "StackOverflowTest",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [
{
"adminConsentDescription": "consent to use plugin",
"adminConsentDisplayName": "consent to use plugin",
"id": "56b9c899-4e7f-47d3-a584-50ab695b164e",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "consent to use plugin",
"userConsentDisplayName": null,
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [
{
"appId": "57fb890c-0dab-4253-a5e0-7188c88b2bb4",
"permissionIds": [
"56b9c899-4e7f-47d3-a584-50ab695b164e"
]
},
{
"appId": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
"permissionIds": [
"56b9c899-4e7f-47d3-a584-50ab695b164e"
]
},
{
"appId": "bc59ab01-8403-45c6-8796-ac3ef710b3e3",
"permissionIds": [
"56b9c899-4e7f-47d3-a584-50ab695b164e"
]
}
],
"publisherDomain": "USENAMEFROMYOURDEFAULTGENERATEDAPPREGISRATION.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://localhost:8001",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMultipleOrgs",
"tags": [],
"tokenEncryptionKeyId": null
}
Note - you cannot just COPY the critical requiredResourceAccess and preAuthorizedApplications sections. Instead, use the GUI in the Ad app registration page, and go to the section "Expose an API". First add a scope with scope-name = 'user_impersonation'; And then add 3 Authorized client applications (assuming you want to support excel desktop and office online) - 57fb890c-0dab-4253-a5e0-7188c88b2bb4, d3590ed6-52b3-4102-aeff-aad2292ab01c, bc59ab01-8403-45c6-8796-ac3ef710b3e3
That should produce sections in your manifest which are quite close to mine for preAuthorizedApplications.
And I'd like to give credit to the person who helped me figure all this out - Jim Barrett (https://stackoverflow.com/users/4114387/jim-barrett)
Best of luck!