locked
How do I persist credentials needed for a call to webservice in an Office App? RRS feed

  • Question

  • Assuming that the page for my Office App can be loaded anonymously I wonder is it possible to persist user credentials that are used to call certain webservices from the Office App?
    If so, what would be the recommended practice from the UI perspective for requesting the credentials first time the webservice is called from an Office App?

    In particular I am interested about Mail App in case that using token is not yet supported and basic authentication is required.
    Can I use roaming settings for this purpose?

    Thanks,
    Sanja

    Thursday, March 21, 2013 10:29 AM

Answers

  • Only on document level. You can store settings only per document via customXmlParts  with use of addAsync function and to retrive it call one of get functions function or settings per document (link on bottom). You can also use license token to retrive settings via webservice as mention in this post (apperently cookie solution does not work in desktop).

    Also read Persisting app state and settings for document level settings.


    Anze Javornik

    • Edited by Anze Javornik Thursday, March 21, 2013 3:59 PM
    • Marked as answer by SanjaDj Thursday, March 21, 2013 4:06 PM
    Thursday, March 21, 2013 3:56 PM
  • To clarify, roamingSettings should not be used to store user credential information :)

    RoamingSettings is not a secure store - any Exchange application with mailbox access can read this data, as they are stored within the mailbox. If the user has setup archiving with a 3rd party solution, it's quite possible that the archiving solution will end up sync'ing over roamingSettings as well.

    You should strictly rely on cookies or getUserIdentityToken for auth.

    • Marked as answer by SanjaDj Thursday, March 21, 2013 9:51 PM
    Thursday, March 21, 2013 6:21 PM

All replies

  • RoamingSettings or cookies...however in mail apps you can use getUserIdentitiyToken javascript funcion, which is intended for this.

    I would use romaing settings though (if no token is possible) so it gets stored on exchange and thus for all different access points (different devices, outlook and owa).


    Anze Javornik

    Thursday, March 21, 2013 2:50 PM
  • Thank you Anze.

    Right now it is not allowed to make a changes required for the token support (though it is planned in a near future) so I have to use something else for the proof of concept. Roaming settings is then temporary solution for the Mail App.

    Do you have any idea if something similar can be done for Word and Excel TaskPane Apps on the application level?

    Regards,
    Sanja

    Thursday, March 21, 2013 3:11 PM
  • Only on document level. You can store settings only per document via customXmlParts  with use of addAsync function and to retrive it call one of get functions function or settings per document (link on bottom). You can also use license token to retrive settings via webservice as mention in this post (apperently cookie solution does not work in desktop).

    Also read Persisting app state and settings for document level settings.


    Anze Javornik

    • Edited by Anze Javornik Thursday, March 21, 2013 3:59 PM
    • Marked as answer by SanjaDj Thursday, March 21, 2013 4:06 PM
    Thursday, March 21, 2013 3:56 PM
  • Thanks again.

    I don't really see a value of persisting credentials on the document level. Hope this will be changed later.

    Regards,
    Sanja

    Thursday, March 21, 2013 4:06 PM
  • You can use license token to mimic romaingSettings, if you can create a webservice.

    Look at the license token and its schema here. Look at cid: this hould be the user specific information that you require to be able to store user data. Your app should get loaded with the et parameter in URL, which you can base64 decode and then you sohuld get the cid. (for security reasons you can also varify the token)


    Anze Javornik

    Thursday, March 21, 2013 4:08 PM
  • And again... thank you for the prompt reply and info provided.

    Sanja

    Thursday, March 21, 2013 4:15 PM
  • To clarify, roamingSettings should not be used to store user credential information :)

    RoamingSettings is not a secure store - any Exchange application with mailbox access can read this data, as they are stored within the mailbox. If the user has setup archiving with a 3rd party solution, it's quite possible that the archiving solution will end up sync'ing over roamingSettings as well.

    You should strictly rely on cookies or getUserIdentityToken for auth.

    • Marked as answer by SanjaDj Thursday, March 21, 2013 9:51 PM
    Thursday, March 21, 2013 6:21 PM
  • Thank you Andrew.

    I planned to use roaming settings just as a temporary solution for the proof-of-concept  but now I think it will be cookies until tokens support is ready.

    Thursday, March 21, 2013 9:51 PM