Outlook Add-in: Token Cache Not Reused in NAA Scenario, Leading to Performance Degradation

[MortenGuldbaek]

When using NAA, the Outlook Add-in is never able to reuse the token cache, due to the BridgeProxy.initializeNestedAppAuthBridge response not containing an accountContext.

Expected Behavior

A user should be able to open and use our Outlook Add-in in their browser or the new Outlook App. They should be able to browse views utilizing Microsoft Graph data by getting a token and using Single Sign-On with MSAL in an NAA scenario without repeated token requests.

Current Behavior

Although the functionality is correct, the actual experience is slow, as every Graph API request triggers a new token request instead of reusing the previously fetched tokens. The same goes for other resources, fx. SharePoint REST.

The bearer tokens previously fetched, and visible in the browser localStorage, should be reused, as to improve performance.

Steps to Reproduce, or Live Example

1. Set up an Outlook Add-in with Single Sign-On enabled using Nested App Authentication (NAA).
2. Create a page in the application that loads Graph data on load and includes a button to trigger new requests.
3. Ensure the page uses the acquireTokenSilent method to fetch a token right before making each request.
4. Monitor network traffic to see a token request before each Graph data request.

Context

The performance is slow due to token requests being executed before each data load.

My investigation found that the 'BridgeProxy.initializeNestedAppAuthBridge' response never actually returns an account that can be used for the caching:

@azure/msal-browser/src/naa/BridgeProxy.ts

The response should contain "accountContext" and "capabilities" but they do not exist.

This is the only place in the entire library that the account context that is used for looking up the token cache is set.

This in turn ensures that the currentAccount is never set:

@azure/msal-browser/src/controllers/NestedAppAuthController.ts

As a result, all requests work correctly but make redundant calls to the token endpoint.

Your Environment

• Platform [PC desktop, Mac, iOS, Office Online]: Office Online
• Host [Excel, Word, PowerPoint, etc.]: Outlook OWA
• Office version number: ______
• Operating System: Windows 11
• Browser (if using Office Online): Chrome
• Packages: "@azure/msal-browser": "3.28.0"

Useful logs

Here is an example, but with SharePoint REST (different resource and scopes) from the same app:

And the corresponding log:

09:49:29 - @azure/[email protected] : Verbose - No active account found, falling back to the host
09:49:29 - @azure/[email protected] : Error - Cached tokens are not found for the account, proceeding with silent token request.
09:49:29 - @azure/[email protected] : Verbose - hydrateCache called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.setAccount called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.addAccountKeyToMap called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called
09:49:29 - @azure/[email protected] : Verbose - BrowserCacheManager.addAccountKeyToMap account key already exists in map
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.setIdTokenCredential called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: config
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: hardcoded_values
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: config
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: hardcoded_values
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: config
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: hardcoded_values
09:49:29 - @azure/[email protected] : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager removeTokenKey called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
09:49:29 - @azure/[email protected] : Info - BrowserCacheManager: removeTokenKey - accessToken removed from map
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.setAccessTokenCredential called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called
09:49:29 - @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
09:49:29 - @azure/[email protected] : Info - BrowserCacheManager: addTokenKey - accessToken added to map
09:49:29 - @azure/[email protected] : Verbose - setActiveAccount: Active account set
09:49:33 - @azure/[email protected] : Verbose - No active account found, falling back to the host
09:49:33 - @azure/[email protected] : Error - Cached tokens are not found for the account, proceeding with silent token request.
09:49:33 - @azure/[email protected] : Verbose - hydrateCache called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.setAccount called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.addAccountKeyToMap called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getAccountKeys called
09:49:33 - @azure/[email protected] : Verbose - BrowserCacheManager.addAccountKeyToMap account key already exists in map
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.setIdTokenCredential called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager addTokenKey called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getTokenKeys called
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: config
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: hardcoded_values
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: config
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: hardcoded_values
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: config
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata called with source: hardcoded_values
09:49:33 - @azure/[email protected] : Trace - getAliasesFromMetadata: found cloud discovery metadata in hardcoded_values, returning aliases
09:49:33 - @azure/[email protected] : Trace - BrowserCacheManager.getAccessTokenCredential: cache hit

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Office on the web in the Edge, Firefox, or Safari browser, the dialog box and task pane don't share the same Local Storage #3647
• NAA: Unable to acquire access token for event-based activation (onMessageSend) #4764

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

There is a new NAA sample in PR that shows how to implement NAA in events. In particular, you have to be careful how to configure webpack to avoid pulling in hot reload code when importing MSAL JS. This might help with the issues you are seeing.

Reference:

• NAA: Unable to acquire access token for event-based activation (onMessageSend) #4764 (comment)

Solution 2:

Acquiring an access token via NAA in send event now works with beta channel version 16.0.18028.20004.

Reference:

• NAA: Unable to acquire access token for event-based activation (onMessageSend) #4764 (comment)

Solution 3:

The sample is now published at https://github.com/OfficeDev/Office-Add-in-samples/tree/main/Samples/auth/Outlook-Event-SSO-NAA. This might provide guidance on implementing NAA correctly.

Reference:

• NAA: Unable to acquire access token for event-based activation (onMessageSend) #4764 (comment)