I am building an Excel Web Addin. I'll need to authenticate the user against Office 365 and publish the addin to AppSource / Office Store. What is the ideal authentication method to use?
I found tutorials for SSO authentication, but then I read on https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins : "The Single Sign-on API is currently supported in preview only. It is available to developers for experimentation; but it should not be used in a production add-in. In addition, add-ins that use SSO are not accepted in AppSource."
Does this mean SSO applications will still not be accepted to the Store? What authentication flow should I use then? I only need the user to sign in a access my Web API via this identity. If possible, the user shouldn't need to reenter their credentials. Is there a code sample I could follow to get this done?
AppSource is not accepting add-ins that use the preview SSO system at this time.
To authenticate a user with a Microsoft Account or a Work or School (Office 365) account without SSO, the user will need to sign in again even if she or he is already logged into Office. Without the SSO system, the add-in has no way of knowing who is logged into Office, just as an web app open in a browser wouldn't know if Office is running on the machine or who is logged into it.
(Your choice of flow might be affected by whether you have a single page app (SPA) or a server-generated UI. Since you mentioned you have a Web API, I'll assume this is not a SPA.)
I don't know of any sample Office Add-ins that only authenticate the user; but there are a couple that log in the user and then use the Auth Code Flow to get an access token to Microsoft Graph.
PowerPoint Add-in Microsoft Graph ASPNET InsertChart. The Office app is PowerPoint, but the auth-related code would be the same for Excel.
Office Add-in Microsoft Graph ASPNET. This is nearly the same, but has Excel as the Office app. It's not polished. (See the Known Issues in the readme.)
But please keep in mind that an Office add-in is just a web app and -- with one exception -- authorizing a user is the same in an add-in as it would be in any other web app. So, you should be able to use the samples in Azure AD Quickstarts.
The one exception is that you have to open the AAD sign-in page in a special dialog window that is invoked with the Office.js displayDialogAsync API. The 2 samples I linked to above do this. You can get detailed guidance about using the Dialog for auth in the article Dialog API in Office Add-ins.
BTW, Microsoft is in the process of improving its documentation and samples for non-SSO auth. We hope to get these improvements published over the next few weeks.