Some background: a MS office addin is embedded into either a client app like MS Word on the desktop or in a browser instance using office (dot) com.
Authentication is a bit tricky since it requires the use of a non-modal dialog that is a separate browser instance. Specifically in office for web, the taskpane is an iframe and the dialog is a
separate browser instance.
Assuming I’ve been able to authenticate the user in session A: the dialog browsing context, how do I authenticate the user in the session B, the taskpane context?
Is it possible to use the authenticated session object from the dialog as the modified session for the taskpane?
Should be fine if you use the same browser. The Django session cookie is I believe shared between tabs.
Hi @dennisvd, unfortunately it doesn’t share the same context. I should have included the dialog box’s characteristics in the question. Being a separate browser instance from the task pane, the dialog:
- Has its own runtime environment and window object and global variables.
- There is no shared execution environment with the task pane.
- It does not share the same session storage (the Window.sessionStorage property) as the task pane.
I’m able however to send information back to the taskpane using a specific JS method from the officejs library. I’ve tried sending a authentication token to the taskpane “parent” but still unable to duplicate the session in the taskpane to make it mimic the authentication session from the dialog.
For a persistent authentication you have some other options like:
- Use a Single Sign-On provider’s SDK on the client to get auth tokens.
- Use Token Authentication - When a user logs in, generate a token that is returned to the client device. The client stores this token and sends it in the Authorization header on subsequent requests. The token can expire after a set time period.
Check out:
Django REST framework tokenauthentication
or
Django OAuth package.
There a probably some other packages that have similar support for a persistent authentication.
Thanks for the suggestions.
I didn’t want to use the REST api indefinitely. I just want to replicate the session and proceed to the regular Django template / session authentication based on the request object. I managed to get it working via the following route:
- Use drf to generate auth token per user
- If user successfully authenticates in the dialog, pass token to taskpane
- Use token in taskpane via javascript fetch, to reach a special view which determines if token exists and matches a user, then executes
django.contrib.auth.login()
- The response, if it’s a valid user, adds the following response headers to the taskpane client:
Set-Cookie (csrf), Set-Cookie (sessionid)
- The response headers however will only be added if the following settings are adopted:
CSRF_COOKIE_SAMESITE = "None"
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = "None"
SESSION_COOKIE_SECURE = True
- Insofar as the taskpane is concerned, the session is replicated.
I see you are using the Django REST framework, yes it might be a bit overkill if don’t have any APIs 
.
Instead you might be able to use the other package that I suggested.
1 Like
