Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Instructions on how to register an add-in for SSO lead users through storing a password in the cloud #4895

Open
netoront opened this issue Nov 13, 2024 · 2 comments
Open

Instructions on how to register an add-in for SSO lead users through storing a password in the cloud #4895

netoront opened this issue Nov 13, 2024 · 2 comments
Assignees
@davidchesnut
Labels
Area: authentication Feedback on authentication content Status: in backlog Issue is being tracked in the backlog but timeline for resolution is unknown Type: doc bug Problem with the documentation (e.g., doc is out of date, unclear, confusing, or broken)

Comments

@netoront
Copy link

Article URL

https://learn.microsoft.com/en-us/office/dev/add-ins/develop/register-sso-add-in-aad-v2

Issue

The documentation gives instructions for creating a client secret - basically a shared password - without any indication of whether it's necessary or safe. It's not safe (Microsoft's own internal security scans flag it as a violation), and as far as I can tell, it's not necessary.

The docs should at least dissuade readers from doing it.
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP label Nov 13, 2024
@AlexJerabek
Copy link
Collaborator

Hi @netoront,
Thanks for flagging this issue. @davidchesnut, could you please investigate?

@AlexJerabek AlexJerabek added Area: authentication Feedback on authentication content Type: doc bug Problem with the documentation (e.g., doc is out of date, unclear, confusing, or broken) Needs: attention 👋 Waiting on Microsoft to provide feedback and removed Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP labels Nov 13, 2024
@davidchesnut
Copy link
Member

Hi @netoront,

The client secret is the recommended way to prove your app identity (from server-side) when working with Office-based SSO. There are some best practices about handling client secrets in the article: Public client and confidential client applications. I can add a link to this from the docs to be sure developers are aware of proper handling of client secrets.

Thanks!
David

@davidchesnut davidchesnut added Status: in backlog Issue is being tracked in the backlog but timeline for resolution is unknown and removed Needs: attention 👋 Waiting on Microsoft to provide feedback labels Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidchesnut davidchesnut

Labels
Area: authentication Feedback on authentication content Status: in backlog Issue is being tracked in the backlog but timeline for resolution is unknown Type: doc bug Problem with the documentation (e.g., doc is out of date, unclear, confusing, or broken)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidchesnut @AlexJerabek @netoront