How to develop Outlook SSO add-in that accesses Microsoft Graph without server-side Web API?

Question

So according to this Ms learning page:

"You develop an add-in that accesses Microsoft Graph just as you would any other application that uses SSO. ...The difference is that it is mandatory that the add-in have a server-side Web API."

I'd like to learn more about this limitation, like is it really not possible to handle Graph API requests purely from client-side? Only found libraries that simplify the development of a server-side solution, and all MS articles explains the procedure as:

• Client gets token A from Identity platform (without grant for Graph API)
• Client passes token A to the server side of the add-in
• Server-side code uses On-Behalf-Of flow (OBO) to get a token B with permissions to Microsoft Graph.
• Server-side code makes the Graph API requests and passes the returned data to Client.

Would be nice to leave out the server-side and get the Microsoft Graph access token as a client. Anyone has experience with this? Or can explain why is it mandatory to have the server-side add-in?

Answer 1

Office add-ins provide callbacks (event handlers) for the actions made in the host applications. They are not static applications, they are not working all the time executing your code (except task panes). And we must add here CORS which is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

And the last point is a security point. The token will be stored on the client machine which is available for other users/thieves. Microsoft doesn't recommend saving accessing tokens anywhere on the client side, while SSO allows retrieving the cached token from the host without displaying an authentication dialog box each time you request it.