Auth0 Home Blog Docs

Auth0 + Refreshtoken in Microsoft Office Add-In



I want to use refresh tokens inside my Microsoft Office Add-In. From what I can tell, I need to use a Native client in Auth0 in order for the client to retrieve refresh tokens when authenticating users. But from the alternatives when picking to use a Native client - Office addins is not one of them.

Can I use Native client type for my Auth0 client running inside an Office Addin? It’s a browser, but it is inside the Office apps - Microsoft Outlook in my case.

EDIT: As @jmangelo mentioned - Outlook addins can run inside Office for web aswell. Judging from that - I guess I can’t run a native client? Can I run separate clients depending on where the addin is running?

I am using the displayDialogAsync method to initialize the OAuth2 flow.


My first reaction would be to say this is native, however, that would be based on my previous experience with Office Addins for Word and Excel which was quite some time ago and I also don’t remember browser engines being involved. With this in mind I went to check the MSDN docs on Office Addins, in particular, for Outlook and the situation seems to be a bit trickier.

From the documentation I mostly got that my first reaction would be correct for COM and VSTO-like addins. However, there seems to be a new breed that is based on Javascript so the situation takes a turn (a bit for the worse).

According to this:

For an Outlook add-in, Outlook reads the manifest and hooks up the specified controls in the UI, then loads the JavaScript and HTML. This all executes in the context of a browser in a sandbox.

the scripts are executed in a browser engine in a sandbox so this still seems to hint at native.

However, then the docs on authentication hint at the use of implicit flow which is not really aimed for native applications.

… your add-in prompts the user to sign-in to the service either by using the displayDialogAsync method to initialize the OAuth2 flow, or by using the office-js-helpers library to the OAuth2 Implicit flow.

In addition, I’m a bit unsure, but it seems these addins would also be able to run in Outlook Web and not just Outlook desktop so if that’s so it would muddy the waters even further. In conclusion, if these would run only in a “browser” engine sandbox in the end-user machine then it should be native; something akin to Electron. However, the specifics for Outlook addins may mean this needs to be handled differently. Given you already worked with these addins you may want to consider updating the question with additional context information, for example, example on how the addins can be executed (desktop only, embedded in the outlook web application, etc).


I’m now using Auth0-js v9 checkSession to do automatic SSO in our Outlook addin which seems to do the trick.

However, would it be possible to have two different flows where a Native client is used when the addin is running inside Outlook for desktop and a SPA client is used when the addin is running on the web?


Still struggling with this - having clients complain about having to log in all the time… I’m using silentAuth - so what could be the reason the session is terminated?