Forum Discussion
Nested App Authentication (NAA) token to protect middle-tier server
I'm working on an outlook addin and want to use the NAA accesstoken to validate the user on an api running on a php webserver.
- The addin runs as a taskepane (created with yo office) with the app only manifest.
- I have setup NAA to do Microsoft graph calls on behalf of the user. I have used this guid to setup NAA (copy/past) https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in
- I have setup a php server (not in Microsoft infrastruktur) for a simple API, that handlers MySQL calls and app only calls to Microsoft graph. The php api authenticate itself with a client secret from the Azure app registration.
Both are working as expected.
Can i use the accesstoken from the NAA, to authenticate the user on the php server?
If it can be done how do I validate the token?
1 Reply
Below are the steps to validate NAA Access Token in PHP:
Receive the Token from the Add-in
• Your Outlook add-in should send the NAA access token in the Authorization header:Authorization: Bearer <access_token>
2. Validate the Token Using Microsoft Identity Platform
Use a JWT validation library in PHP (e.g., firebase/php-jwt) and follow these steps:
a. Decode the Token Header
• Extract the kid (key ID) from the token header.
b. Fetch Microsoft’s Public Keys
• Get the signing keys from:https://login.microsoftonline.com/common/discovery/v2.0/keys
• Match the kid to the correct public key.
c. Verify Token Signature and Claims
• Validate:
o Signature using the public key
o Issuer: https://login.microsoftonline.com/{tenant}/v2.0
o Audience: Should match your API’s client_id or App ID URI
o Scopes: Ensure required scopes are present
o Expiration: Check exp claimSuggestions:
use Firebase\JWT\JWT; use Firebase\JWT\JWK; $jwt = $_SERVER['HTTP_AUTHORIZATION']; // Bearer token $jwks = json_decode(file_get_contents('https://login.microsoftonline.com/common/discovery/v2.0/keys'), true); $decoded = JWT::decode($jwt, JWK::parseKeySet($jwks), ['RS256']);
