I am actually doing plenty of stuff with Office Addins, following the guides and patterns Microsoft is giving especially for the use of the new Identity API in the Office clients for an SSO experience.
Everthing is fine on the dev stages, after some wrapping my head around the concepts I have my React app as Word/Outlook Addin with Node.js/Expressjs middleware and plenty other stuff that does not matter here.
When bringing this from Dev to Prod, I struggle with a strange effect in the customers Office 365 tenant that prevents a decoding of the token one gets from the Office client on the users side ( see https://docs.microsoft.com/de-de/office/dev/add-ins/develop/sso-in-office-add-ins#add-client-side-co... for reference, we are talking about getting the local token as starting point for a AAD V2 endpoint authentication by calling Office.context.auth.getAccessTokenAsync()). After a lot of debugging I figured out that the token does not contain the data it should have and therefore is not able to be decoded in the middleware. Looks something like this:
Token in our very own Office tenant -> Screenshot 1
Token in customer tenant -> Screenshot 2