I am working on an excel addin application using office js apis. I need to retrieve the user's information (email, name etc) that is using excel. For this i am following Microsoft's samples for SSO:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-nodejs
and
https://learn.microsoft.com/en-us/office/dev/add-ins/quickstarts/sso-quickstart
The application i'm using was generated using yeoman template Office Add-in Task Pane project supporting single sign-on (localhost). I have registered the app in azure as instructed in the guidelines and put in the necessary id's in the configuration. The code works and i can retrieve the user info, but i have a confusion here. I can only retrieve user info if i sign in to excel using the same office365 user that i used to register the application in azure. If the excel user is a different account it first shows the fallback auth UI and then if i choose "Accept" it shows a second error UI with the following message:
"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope api://localhost:3000/{application GUID here}/access_as_user user.read openid profile offline_access is not valid. The scope format is invalid. Scope must be in a valid URI form https://example/scope or a valid Guid <guid/scope>."
This doesn't happen if i use the other user used to register the app.
It is also worth mentioning that according Microsoft's guideline here, to test the SSO feature the excel user should be from the same organization as the registering account:
"When Excel, Word, or PowerPoint opens when you run the previous command, make sure you're signed in with a user account that's a member of the same Microsoft 365 organization as the Microsoft 365 administrator account that you used to connect to Azure while configuring SSO in step 3 of the previous section. Doing so establishes the appropriate conditions for SSO to succeed."
My confusion is that how would the code work for different office users that might use the addin after deployment if it is mandatory that the user has to be from the same organization as the user registering the app? Am i missing something here? I expect to be able to identify any user using the graph apis, and the user could be any valid office user.
Please note that this is still development phase and i have not deployed the application yet in azure. The problems i described are coming when running the application from dev server (localhost), so i'm not sure if it would make any difference when actually deployed and when people use it as an addin.
Sorry, stupid silly error. I figured it out. I missed a configuration (where i needed to put the client id of the application) in the fallback auth js file and therefore was messing up the scope url altogether. After i fixed it I'm getting info for other users as well :) The world is back normal again.