I am working on an enterprise software which works independently from Office 365/AzureAD. Now I want to create a JS Word addin that access protected resources of this application via an API (files, word templates, personal data of user...).
Preferably I would like to do a session based authentication for the user via an Office dialog box. Now I ran into the problem that there seems to be no way to cache the session token using Office JS for 12 hours over multiple Word instances (closing an reopening Word). Or is there a useful solution (for Word Online, mac, Windows) to cache the session token (cookie, HTML-localStorage, ...)?
If this is not possible, we can force our customers to use a Microsoft 365 account for authentication in the Office AddIn against our api. I found the following posts about this:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/overview-authn-authz (Access your Web APIs through SSO). However, the other articles only describe how to get an access token from the user in the Office AddIn (https://learn.microsoft.com/en-us/office/dev/add-ins/develop/use-sso-to-get-office-signed-in-user-token?tabs=vs2019) and how to use this token to access microsoft graph via my api (https://learn.microsoft.com/en-us/office/dev/add-ins/develop/authorize-to-microsoft-graph). But I don't want access to graph for the user. I want to authenticate the user against my API.
I don't understand if this access token also authenticates the user against my api. In the normal OpenID Connect workflow, I use the nonce in the ID token generated by my server to ensure that the Microsoft Identity Platform authenticates the user for my api. How can I make sure that the Microsoft identity provider has just created this access token for my application/api?
Thanks for your help