"Get access on behalf of a user" for Outlook add-in

Question

I was going through the documentation for Implement single sign-on to your service in an Outlook add-in which talks about SSO sign on for getting authorization. But as SSO token auth is in preview only state and Exchange user identity token cannot be used for O365, I want to know if "Get access on behalf of a user" be used in Outlook add-in for accessing MS Graph API.?

I couldn't find any such documentation for Office add-in's using "Get access on behalf of a user".

Edit 1: I have been using getCallbackTokenAsync to call the Outlook Endpoint API from my add-in. But due to some unexpected behavior of /attachment API, I'm planning to use MS Graph API. My concern in the question is will the "Get access on behalf of a user" authentication flow work in case of an add-in on Outlook Win32, Outlook Mac, Outlook Mobile, Outlook Web.

Answer 1

See the accepted answer to this post: 401 Unauthorized when trying to send emails from EWS Managed API

In essence, if you absolutely need to use the Microsoft Graph, there are ways of doing that without using the SSO mechanism. You can use web-sockets and transmit the access token / refresh token.

Node.JS configuration for this is like:

(In the web-app)

1. Ask the user to click on a button, for authorizing your app to their account.
2. Pop out the user to the OAuth login url. (and show a spinner)

(on the webpage)

1. Setup your redirect / reply url in a way that once it receives the access token (or refresh token if you're using code authentication) it transmits it through the sockets to the user who initiated the sign-in. One way to ensure the mapping is to have a unique GUID put onto the web-app response (in the cookie or as an inline script)

The EWS APIs (there's a method which allows you to make calls to EWS / makeEwsRequestAsync) are quite rich though.