In my Office Add-In for Word I have an auth flow. I reuse my login page from an existing web-service using Office.context.ui.displayDialogAsync and pass back to the task pane a token using Office.context.ui.messageParent.
Now I wonder where I can securely store the token on the add-in side for further use. What is a safe way to store the token for both office options desktop and web? Can I simply use localStorage or cookie so that next time the Word app or page is opened user won't need to log in again (if the token is not expired of course)? Is the add-in environment isolated enough?
Use techniques provided by the underlying browser control: browser cookies, or HTML5 web storage (localStorage or sessionStorage).
LocalStorage is a "per website storage" provided by the browser, precisely, for a given browser and for the same domain you can access the values in LocalStorage.
An example of usage of LocalStorage would be, if you have a web application served with the same domain but which is not the add-in. Then, for the same browser, LocalStorage can be used to share things like token authentication etc.
For example, you could also use SSO to obtain the user identity, and then save the user ID and their settings to an online database.