Outlook-Add-in-SSO-NAA double popups Firefox/Safari

[malnoxon]

URL of sample
https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/auth/Outlook-Add-in-SSO-NAA

Describe the bug
I routinely get double popups the first time I try to click the "Get user data" button in Firefox or Safari on a fresh login or private window due to a failure to silently get a token in those cases. They open and then automatically close with no user intervention. I do not get these popups in chrome under the same conditions where silent token retrieval is successful.

This is both a UX annoyance and can cause functional issues if the browser is configured to block popups. The particular scenario I'm concerned about is if an admin grants consent on behalf of the org in which case the end users should see 0 popups prompting them for consent and ideally never need to allow popups.

This may be a combination of 2 issues:

1. Why is the popup needed at all?
2. Why are there 2 of them? (more annoying UX and more likely to have the browser decide to block one)

To Reproduce
Sideload in the add-in

1. Make a new email in outlook in Firefox
2. Message > the apps square > click the add-in
3. Consent to all permissions for the add-in (click the "get user data" button in the add-in and let it prompt you to accept them).
4. Verify you can see the results from the button click in the add-in pane
5. Now open a new private Firefox window
6. Make a new email in outlook in that private window
7. Open the add-in again, click the "get user data" button.
8. Notice that it throws 2 popups that automatically open/close.

Expected behavior
After permissions have been granted I'd expect no popups to be necessesary like in chrome.

Screenshots

Firefox console logs

The resource at “https://res.public.onecdn.static.microsoft/owamail/hashed-v1/scripts/owa.2069.m.c813c80c.js” preloaded with link preload was not used within a few seconds. Make sure all attributes of the preload tag are set correctly. mail
The resource at “https://res.public.onecdn.static.microsoft/owamail/hashed-v1/scripts/owa.MsalAuth.m.600aad13.js” preloaded with link preload was not used within a few seconds. Make sure all attributes of the preload tag are set correctly. mail
downloadable font: kern: Too large subtable (font-family: "Aptos" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos.woff2
downloadable font: Table discarded (font-family: "Aptos" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos.woff2
downloadable font: kern: Too large subtable (font-family: "Aptos" style:normal weight:700 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos-Bold.woff2
downloadable font: Table discarded (font-family: "Aptos" style:normal weight:700 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos/Aptos-Bold.woff2
Partitioned cookie or storage access was provided to “https://localhost:3000/taskpane.html?et=” because it is loaded in the third-party context and dynamic state partitioning is enabled.
[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled. index.js:577
[HMR] Waiting for update signal from WDS... log.js:39
[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled. index.js:577
[HMR] Waiting for update signal from WDS... log.js:39
XML Parsing Error: no root element found
Location: https://localhost:3000/taskpane.html?et=
Line Number 1, Column 1: taskpane.html:1:1
Cookie warnings 10
[Wed, 13 Nov 2024 17:17:53 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true msalconfig.ts:30:20
[Wed, 13 Nov 2024 17:17:53 GMT] : [] : @azure/[email protected] : Verbose - BrowserCrypto: modern crypto interface available msalconfig.ts:33:20
XHRGET
https://graph.microsoft.com/v1.0/chats?$top=50&$expand=lastMessagePreview&$select=viewpoint,lastMessagePreview
[HTTP/2 429  10ms]

downloadable font: kern: Too large subtable (font-family: "Aptos Display" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-display/Aptos-Display.woff2
downloadable font: Table discarded (font-family: "Aptos Display" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-display/Aptos-Display.woff2
downloadable font: kern: Too large subtable (font-family: "Aptos Narrow" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-narrow/Aptos-Narrow.woff2
downloadable font: Table discarded (font-family: "Aptos Narrow" style:normal weight:400 stretch:100 src index:0) source: https://res.public.onecdn.static.microsoft/assets/mail/fonts/aptos/v1.93.230727224051/aptos-narrow/Aptos-Narrow.woff2
Trying to acquire token silently... authConfig.ts:87:14
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. mail
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. oauthRedirect.html
The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it. oauthRedirect.html
Unable to acquire token silently: InteractionRequiredAuthError: login_required: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com). Trace ID: e791e837-6094-4a73-8656-98863b667700 Correlation ID: 01932688-27f1-73df-a48e-e4e634890d2a Timestamp: 2024-11-13 17:17:57Z authConfig.ts:92:14
Trying to acquire token interactively... authConfig.ts:97:14
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. mail
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. oauthRedirect.html
The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it. oauthRedirect.html
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Verbose - hydrateCache called msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.addAccountKeyToMap account key added msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getTokenKeys - No token keys found msalconfig.ts:33:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - idToken added to map msalconfig.ts:30:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - accessToken added to map msalconfig.ts:30:20
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: Active account set msalconfig.ts:33:20
Acquired token interactively. authConfig.ts:100:14
[Wed, 13 Nov 2024 17:17:59 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: Active account set msalconfig.ts:33:20
Object { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity", businessPhones: [], displayName: "Devs", givenName: "Devs", jobTitle: null, mail: "[email protected]", mobilePhone: null, officeLocation: null, preferredLanguage: "en-US", surname: null, … }
msgraph-helper.ts:27:12
A resource is blocked by OpaqueResponseBlocking, please check browser console for details. 2 OutlookWeb-Mail-PROD
The connection to wss://augloop.office.com/ was interrupted while the page was loading. owa.13232.m.1012d67c.js:1:7035
[webpack-dev-server] App updated. Recompiling... index.js:577
[webpack-dev-server] App updated. Recompiling... index.js:577
[webpack-dev-server] App hot update... index.js:577
[HMR] Checking for updates on the server... log.js:39
[webpack-dev-server] App hot update... index.js:577
[HMR] Checking for updates on the server... log.js:39
[HMR] Update failed: Loading hot update chunk polyfill failed.
(missing: https://localhost:3000/polyfill.e0c31b8a82ca081b835d.hot-update.js)
loadUpdateChunk/<@https://localhost:3000/polyfill.js:26926:26
loadUpdateChunk@https://localhost:3000/polyfill.js:26921:20
__webpack_require__.hmrC.jsonp/<@https://localhost:3000/polyfill.js:27378:29
__webpack_require__.hmrC.jsonp@https://localhost:3000/polyfill.js:27373:22
hotCheck/</</<@https://localhost:3000/polyfill.js:26751:47
hotCheck/</<@https://localhost:3000/polyfill.js:26747:55
promise callback*hotCheck/<@https://localhost:3000/polyfill.js:26742:43
promise callback*hotCheck@https://localhost:3000/polyfill.js:26733:15
check@https://localhost:3000/polyfill.js:4020:5
./node_modules/webpack/hot/dev-server.js/<@https://localhost:3000/polyfill.js:4074:4
emit@https://localhost:3000/polyfill.js:350:17
reloadApp@https://localhost:3000/polyfill.js:3915:67
ok@https://localhost:3000/polyfill.js:1841:68
./node_modules/webpack-dev-server/client/socket.js/initSocket/<@https://localhost:3000/polyfill.js:3591:29
./node_modules/webpack-dev-server/client/clients/WebSocketClient.js/onMessage/this.client.onmessage@https://localhost:3000/polyfill.js:1574:10
EventHandlerNonNull*onMessage@https://localhost:3000/polyfill.js:1573:7
initSocket@https://localhost:3000/polyfill.js:3584:10
./node_modules/webpack-dev-server/client/index.js?protocol=wss%3A&hostname=0.0.0.0&port=3000&pathname=%2Fws&logging=info&overlay=true&reconnect=10&hot=true&live-reload=true@https://localhost:3000/polyfill.js:1926:55
__webpack_require__@https://localhost:3000/polyfill.js:26353:32
@https://localhost:3000/polyfill.js:27417:30
@https://localhost:3000/polyfill.js:27422:12
log.js:41
[HMR] Nothing hot updated. log.js:39
[HMR] App is up to date. log.js:39

Chrome logs when performing the same action

11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.861 Chrome is moving towards a new experience that allows users to choose to browse without third-party cookies.
11:15:04.963 bootstrap:22 [webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.
11:15:04.964 bootstrap:22 [HMR] Waiting for update signal from WDS...
11:15:05.028 bootstrap:22 [webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.
11:15:05.029 bootstrap:22 [HMR] Waiting for update signal from WDS...
11:15:06.067 msalconfig.ts:30 [Wed, 13 Nov 2024 17:15:06 GMT] : [] : @azure/[email protected] : Info - Nested App Auth Bridge available: true
11:15:06.067 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:06 GMT] : [] : @azure/[email protected] : Verbose - BrowserCrypto: modern crypto interface available
11:15:08.164 owa.30114.m.7d654955.js:1 
        
        
       GET https://graph.microsoft.com/v1.0/chats?$top=50&$expand=lastMessagePreview&$select=viewpoint,lastMessagePreview 429 (Too Many Requests)
o @ owa.30114.m.7d654955.js:1
c @ owa.30114.m.7d654955.js:1
E @ owa.30114.m.7d654955.js:1
await in E
(anonymous) @ owa.mailindex.8754bfb2.js:1
Promise.then
importAndExecute @ owa.mailindex.8754bfb2.js:1
task @ owa.AppBoot.m.01b05440.js:1
t @ owa.Tti.m.1ee76fcc.js:1
(anonymous) @ owa.Tti.m.1ee76fcc.js:1
postTask
r @ owa.mailindex.8754bfb2.js:1
(anonymous) @ owa.Tti.m.1ee76fcc.js:1
(anonymous) @ owa.Tti.m.1ee76fcc.js:1
runTask @ owa.AppBoot.m.01b05440.js:17
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
Promise.then
tryRunTask @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
postTask
r @ owa.mailindex.8754bfb2.js:1
scheduleTask @ owa.AppBoot.m.01b05440.js:17
onTaskComplete @ owa.AppBoot.m.01b05440.js:17
(anonymous) @ owa.AppBoot.m.01b05440.js:17
11:15:09.223 authConfig.ts:87 Trying to acquire token silently...
11:15:09.242 owa.2069.m.c813c80c.js:7 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
tF @ owa.2069.m.c813c80c.js:7
tK @ owa.2069.m.c813c80c.js:7
(anonymous) @ owa.2069.m.c813c80c.js:1
tD @ owa.2069.m.c813c80c.js:7
(anonymous) @ owa.2069.m.c813c80c.js:1
silentTokenHelper @ owa.2069.m.c813c80c.js:7
await in silentTokenHelper
(anonymous) @ owa.2069.m.c813c80c.js:1
acquireToken @ owa.2069.m.c813c80c.js:7
await in acquireToken
ssoSilent @ owa.2069.m.c813c80c.js:7
ssoSilent @ owa.2069.m.c813c80c.js:7
eg @ owa.MsalAuth.m.600aad13.js:1
eV @ owa.MsalAuth.m.600aad13.js:1
ej @ owa.MsalAuth.m.600aad13.js:1
await in ej
getNestedAppAuthToken @ owa.MsalAuth.m.600aad13.js:1
getTokenRequest @ owa.MsalAuth.m.600aad13.js:1
(anonymous) @ owa.MsalAuth.m.600aad13.js:1
l @ owa.MsalAuth.m.600aad13.js:1
f @ owa.MsalAuth.m.600aad13.js:1
eY @ owa.MsalAuth.m.600aad13.js:1
(anonymous) @ owa.mailindex.8754bfb2.js:1
then @ owa.mailindex.8754bfb2.js:1
importAndExecute @ owa.mailindex.8754bfb2.js:1
(anonymous) @ owa.mailindex.8754bfb2.js:1
then @ owa.mailindex.8754bfb2.js:1
importAndExecute @ owa.mailindex.8754bfb2.js:1
executeNaaRequest @ owa.AppBoot.m.01b05440.js:1
tT @ owa.82103.m.0f56f587.js:1
n8 @ owa.82103.m.0f56f587.js:1
(anonymous) @ owa.82103.m.0f56f587.js:1
e.invoke @ owa.24892.m.c797c99d.js:1
u @ owa.24892.m.c797c99d.js:1
v @ owa.24892.m.c797c99d.js:1
11:15:09.678 mail/oauthRedirect.html#code=1.ASgATSnmPjO2u0asaqgHWwlcEyC_mZE_oQdBhdwCEUeH70jZAG8oAA.AgABBAIAAADW6jl31mB3T7ugrWTT8pFeAwDs_wUA9P-8z9yphqfHBXVscm0xI7DbcRFFwIYOI7drYOMTuozXiX0ObAMM_xfioc3c38-miZ0r5aLcnflx24Uv0hLc0yW94NUih6tZw7xWv2lKSIh3uTFII3HiXB0a9PUuSV83oAf_rmjh__fFwgHj7DCw746hBJfDZEF2jj5nGBqvOMYuZr70fbbzmlS5coRSaq6VYSa0bL90R87XGReOUNMfucVuka3q0XTfQaKwGpC4przhqJ9q4z6RQ9bOc4u7TGhguXqax7jyj38jVEiFnA8UsxWtGkwrlbeuDRiOt4rLEdSKbLGxiXmgAXZCM6sGV3ADvXQIyzpPF7XdBXrz0gJd66VC3UV3Z70VkvfJCGYxCe20w3Hg7pDLcMtZBs7jOLyKuwgJMVdQ8SSydkQ7ruSP-xjoa1-i4qwz9WXlYXyWftqh7l2EJYMMY9Z9gwoYEKmrP4jZ7GK127wjGQt4egt5VtllXEX8qmwqe8cSKWVkis2vHL4H5JupaOseSSLCMz_PWiiRAGHTjrFqVb5xtYj-jqFb39bHfz_EwiIRJPowYDEK-uPKOel_cro8fWMNj1lH51BwTOr8ehXy-HtFf5UyxofXjihLmt5PZE6HwJoQk0r20a4V5TfNbqMzYT-CA1bC-BEErNz4ma3a6PUuTqEC_5uOH6kZe2kGhihQysJQPC9HyyNplAvNn0EBDx28wDhCitoVvuvtIvPAvDD_-oJ6kIG8FwUKzZyiOn6CqJ24FIRqVfjf1_Ed2CLyiwOOCix4Nnai9JeZJ6IESAHQ10BMxbKAGk1W3JEIlJJ8fMIhvPeuIbc-2a2TlCzqWALkFS9QCjHAa78OaII&client_info=eyJ1aWQiOiJhMGU5MmI0Ny03OTM1LTQyNTEtOTQwMy05N2U5MmRkZWUxZDMiLCJ1dGlkIjoiM2VlNjI5NGQtYjYzMy00NmJiLWFjNmEtYTgwNzViMDk1YzEzIn0&state=eyJpZCI6IjAxOTMyNjg1LTk2MmMtNzg3Mi04NjBhLTg1ZWI2NTI5NDdhZCIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19&session_state=f00afcdb-7bf3-401c-864d-e892ff10e2b9:1 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
11:15:10.286 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Verbose - hydrateCache called
11:15:10.287 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getAccountKeys - No account keys found
11:15:10.287 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.addAccountKeyToMap account key added
11:15:10.288 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Verbose - BrowserCacheManager.getTokenKeys - No token keys found
11:15:10.288 msalconfig.ts:30 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - idToken added to map
11:15:10.288 msalconfig.ts:30 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - accessToken added to map
11:15:10.289 msalconfig.ts:33 [Wed, 13 Nov 2024 17:15:10 GMT] : [] : @azure/[email protected] : Verbose - setActiveAccount: Active account set
11:15:10.289 authConfig.ts:89 Acquired token silently.
11:15:10.403 msgraph-helper.ts:27 {@odata.context: 'https://graph.microsoft.com/v1.0/$metadata#users/$entity', businessPhones: Array(0), displayName: 'Devs', givenName: 'Devs', jobTitle: null, …}
11:22:16.000 index.js:577 [webpack-dev-server] App updated. Recompiling...
11:22:16.001 index.js:577 [webpack-dev-server] App updated. Recompiling...
11:22:16.658 index.js:577 [webpack-dev-server] App hot update...
11:22:16.658 log.js:39 [HMR] Checking for updates on the server...
11:22:16.659 index.js:577 [webpack-dev-server] App hot update...
11:22:16.659 log.js:39 [HMR] Checking for updates on the server...
11:22:16.710 log.js:41 [HMR] Update failed: Loading hot update chunk polyfill failed.
(missing: https://localhost:3000/polyfill.e0c31b8a82ca081b835d.hot-update.js)
ChunkLoadError
    at https://localhost:3000/polyfill.js:26926:26
    at new Promise (<anonymous>)
    at loadUpdateChunk (https://localhost:3000/polyfill.js:26921:20)
    at https://localhost:3000/polyfill.js:27378:29
    at Array.forEach (<anonymous>)
    at __webpack_require__.hmrC.jsonp (https://localhost:3000/polyfill.js:27373:22)
    at https://localhost:3000/polyfill.js:26751:47
    at Array.reduce (<anonymous>)
    at https://localhost:3000/polyfill.js:26747:55
__webpack_modules__../node_modules/webpack/hot/log.js.module.exports @ log.js:41
(anonymous) @ dev-server.js:60
Promise.catch
check @ dev-server.js:45
(anonymous) @ dev-server.js:69
emit @ events.js:153
reloadApp @ reloadApp.js:38
ok @ index.js:239
(anonymous) @ socket.js:62
client.onmessage @ WebSocketClient.js:45
Show 9 more frames
Show less
11:22:16.711 log.js:39 [HMR] Nothing hot updated.
11:22:16.711 log.js:39 [HMR] App is up to date.

Environment

• Platform [PC desktop, Mac, iOS, Office Online]: OSX 14.7.1
• Host [Excel, Word, PowerPoint, etc.]: Outlook for Web
• Browser (if using Office Online): Firefox 132.0.2/Safari 18.1

Additional context
n/a

[AlexJerabek]

Thanks for flagging this @malnoxon.

@codexeon or @davidchesnut, could you please take a look?

[davidchesnut]

I am able to reproduce this behavior so I'm looking into this.

[davidchesnut]

Tracking as bug: 325416.

[glr0221]

@malnoxon
Thanks for filing this one. We are experiencing the same issue.

@davidchesnut
We are experiencing the same issue. Silent token acquisition is not supported in both firefox and safari.
Thank you for your support as always.

[salaman]

I believe this is expected. Silent token acquisition cannot be performed in all cases. Your console logs show the following error:

Unable to acquire token silently: InteractionRequiredAuthError: login_required: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com). Trace ID: e791e837-6094-4a73-8656-98863b667700 Correlation ID: 01932688-27f1-73df-a48e-e4e634890d2a Timestamp: 2024-11-13 17:17:57Z authConfig.ts:92:14

which is an expected MSAL error (InteractionRequiredAuthError) signaling that silent acquisition was not possible. The sample automatically tries to fire off an interactive request which isn't ideal behaviour either; your app should show some kind of button to trigger the interactive auth because browsers may block the popup without explicit user interaction or if the time since last interaction was too long.

If popups are blocked, your app/addin should have UI to handle the resulting MSAL error (typically popup_window_error) and show a button or some help text.

For Firefox, there's a setting that's defaulted to off that enables integration with Windows SSO which should allow silent SSO to happen: https://support.mozilla.org/en-US/kb/windows-sso

For Safari, I believe there are some platform broker SSO extensions that Intune installs to help this flow, but I haven't personally tested if it allows MSAL SSO to succeed in this case.

[glr0221]

Thank you very much @salaman .

I understand and take your points well and appreciate them.

The way I see this is that, NAA-SSO is the future replacement of getCallbackTokenAsync. And in a way, addin users expect NAA-SSO would be as seamless as getCallbackTokenAsync. I guess what I am trying to drive at is that addin end users are so used to the 'silent' and seamless execution of getCallbackTokenAsync, that having popups for login will most likely result to unfavorable user experience. Most users would be surprised with two login popup windows that automatically close.

I was just hoping that whether it is via silent token acquisition (or via interactive acquisition), these NAA-SSO calls would be as good as the current getCallbackTokenAsync.

Thanks for this link : https://support.mozilla.org/en-US/kb/windows-sso. Unfortunately though, this won't work for MAC running firefox.

As for our addin, we intend to fallback to SSO-OBO if silent-token-acquisition for NAA-SSO fails. And if SSO-OBO fails, we will fall back to REST or EWS.

It would really be great if the NAA-SSO flow can equal the convenience/seamlessness of getCallbackTokenAsync.

I hope I make sense. Thanks.

[salaman]

I agree; however, without a fully managed device and browser capable of platform-based single sign on, there is always the possibility of prompting due to the nature of iframes and browser security restrictions.

I'll look into the two popup issue and try to improve the flow to simplify it to one popup.

Separately, Outlook Web is in process of rolling out major improvements to its auth stack, at which point NAA should be even more reliable and some of this prompting will be done in a more 'global' way during initial Outlook load. I don't have a firm date for these changes to fully roll out, but I expect them to be gradually rolling out through this current quarter. I can tell you that the behaviour is a lot better in Firefox with the changes :)

[malnoxon]

Noting that the double popup window can be avoided by:

• Firefox: disabling "Enhanced Tracking Protection" for the site
• Safari: unchecking Settings > Privacy > Prevent cross-site tracking

Not particularly viable to tell our end users to do this unfortunately

[salaman]

I've merged a change internally that should hopefully reduce this flow down to one popup instead of two, and improve the fetch performance overall. You should see it deployed by the end of next week. The popup itself is unavoidable for now; however as I mentioned earlier, Outlook is actively rolling out changes to the auth stack that should meaningfully reduce the occurrence of these popups down to only when strictly necessary (consent required, conditional access policies, MFA, etc), but those are still a work in progress and are planned for the end of Q1.