When we use the Office.context.mailbox.item.addFileAttachmentAsync, Outlook will often prompt for a credential - there appears to be no request on the line at that moment (i.e. not spurred by a 401). If we cancel, no ill effect occurs. Our files are served from a web service that is "anonymous", and we pass a one-time-use key on the URL. I'm not sure why Outlook is prompting at all....
In our current configuration we are not seeing any more prompts for authentication. We respond with 200 OK, no body, on both HEAD and OPTIONS (in the HEAD response we provide the content length of expected response, in the OPTIONS response we provide the content length of 0). The authentication settings of our IIS web app is anonymous and Windows enabled. I am running Outlook 2013 and also seeing a lot of PROPFINDs, which IIS is responding with 405 Not Implemented. This solution won't help if you are using a file service that is outside of your control.
Related
I am trying to run Microsoft's sample code for implementing Azure AD B2C authentication.
The codebase can be found here:
https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp/blob/master/index.html
I modified the code so as shown in the following gist. The main change is that instead of using the Msal.UserAgentApplication object's loginPopup() method, I am using loginRedirect() (for the better user experience)
https://gist.github.com/ttchuah/6718e268a235a3206968b36d748fd369
Here is what happens when I run the code.
I see the index.html page as expected.
I click the login button, get redirected to the Microsoft login page, where I can see the option to do a social login via Google.
I log in through Google and get redirected back to my index.html page.
At this point, the "authCallback()" function fires.
In Chrome, I get the following console error. Any ideas why?
Refused to display 'https://accounts.google.com/o/oauth2/auth?client_id=903295266285-78au30g3bsmt8q1phvfqqu65c58kp35i.apps.googleusercontent.com&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fte%2fdv0dop000devaad000.onmicrosoft.com%2foauth2%2fauthresp&response_type=code&scope=email+profile&state=StateProperties%3deyJTSUQiOiJ4LW1zLWNwaW0tcmM6OGM1YTQwNDQtNGYyYi00ZTJmLTgyMmUtYjU2ZjRkMWU4ZWU2IiwiVElEIjoiMDBmZjUzOTctNjYxZC00NDY4LWFlODktNzlkOThlMmEwMzI0In0' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The same error does not happen in FireFox or Safari. For those browsers, I am able to get an auth token back without issue.
The X-Frame-Options header is a security measurement against clickjacking, the thing is, not all browsers have an implementation that takes that header into consideration when processing a returned response (see X-Frame-Options on MDN).
Long story short, Chrome will block any response processing that doesn't have a matching allow-from value in the X-Frame-Options header from rendering in a frame, iframe or object element.
Hope it helps!
It does not help with B2C, but Okta, Auth0, and OneLogin have iframe-options set out of box, as well as same-site for cookies ...
I am working on an Outlook mail app, which will be available to user on web only (not of outlook desktop).
A file need to be uploaded from app to azure via custom control in compose form of App, meanwhile the file is uploaded to Azure user should not be able to close the mail. If they try to do so, a warning should be given to them.
Adding to #Slava's answer, I would suggest using addAsync API for notification messages. You can add a notification of type progress indicator until your task is complete and replace it with a notification of type informational message.
Click here for reference
Unfortunately Office.js API does not have the feature you are inquiring. You will not be able to disallow user interaction, as such closing the compose window or closing your add-in. As the API doesn't have "OnSend" or "OnClose" events you will not be able to display any warning either. If this is the new feature you would like to add you may try to send request via Office Developers User Voice.
As the work around you should clearly indicate for the users that they need to wait and do not interup operation. You should display activity indicator, indeed. And finally you should be prepare user still interupt the operation in the middle and work properly with the error occur.
Hope this helps.
I have a link on my web-page which automatically logs in through a generic username/password for the purposes of a demo, eg :
https://username:password#www.example.com
A dialog box shows up which says "You are now logging in as username. Is this correct?"
How can I remove this dialog to allow me to log into this web-page as cleanly as possible?
I've considered using JS to resolve the issue but there must be a simpler way?
Thanks
You are using http basic authentication which is a protocol that is a part of http. The username and password is sent to the web server and verified before your web page is loaded.
It is not the web page that creates this dialog, but your browser. It will be different for different browsers. Firefox creates a confirmation message when you provide the username and password in the address bar. Chrome will not create this confirmation message.
A javascript or any other kind of functionality in your web page would not be able to remove this message. The reason for this is that the message is created by the browser before the web page is actually loaded.
I am getting this error:
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: Invalid redirect_uri: Given URL is not allowed by the Application configuration.
When browsing to this page.
https://www.facebook.com/dialog/oauth?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback&scope=email%2Cuser_about_me&client_id=clientid&type=web_server
I ofcourse googled around and found this topic:
Facebook API error 191
It says that add your page URL to facebook. I have been going through all tabs in facebook under my created App and there is no input box for page URL.
I also see that this answer is from early 2012 and possibly outdated, how should it be done in 2013?
If you go to "http://developers.facebook.com" you should be able to login, click on "Apps" at the top. From there you can click on "Edit Settings" for the app that you are testing (or creating). I took a screen shot of what that looks like:
My guess is there is an error in the field "App Domains", or in the "Site URL" field. You will want to make sure that your url and domain(s) are correct. Hopefully this helps or at least sets you on the right track.
One more suggestion - it looks like you are testing using "localhost". If you are developing on a windows system you can improve the quality of your tests by editing the hosts file and registering your actual host name. OSX or other operating systems have similar mechanisms for registering a host name. Once you have done this you can bind IIS or Apache to that host by creating a new site (or using the virtual hosts option). After that you should be able to type in a more real looking host name which makes the Facebook authentication work that much better. Best of luck!
I am running S60 SDK 5th with Eclipse pulsar on win 7.
I have oauth_token using with this Url https://www.linkedin.com/uas/oauth/authorize?oauth_token=. To get that grant access screen by LinkedIn.
I am loading above Url using htmlComponent, and adding HtmlComponent to form and show it.
Occasionally when I click on the "Ok I'll Allow It" button (i.e. after the button has been pressed) I get the following error message.
We’re sorry, there was a problem with your request. Please make sure you have cookies enabled and try again.
But I'm receiving the response with oauth_token, oauth_token_secret, oauth_callback_confirmed = true, xoauth_request_auth_url, oauth_expires_in.
Please help.
My guess is that the error is happening with the callback. Once you click the "OK, I'll allow it" button in the LinkedIn authentication page, the user should be redirected back to your application. Can you run the network for your phone through a laptop system where you can snoop the traffic to see what's happening? I'm not familiar with HTTP snooping capabilities in the Windows 7 system, but there may be some logging you can do to determine what's happening.