Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAA - brk-multihub domain security implications #5245

Closed
malnoxon opened this issue Jan 6, 2025 · 2 comments
Closed

NAA - brk-multihub domain security implications #5245

malnoxon opened this issue Jan 6, 2025 · 2 comments
Assignees
@guoms1
Labels
Resolution: question answered Question is answered by engineering team. Type: programming question How-to question that should be posted to Microsoft Q&A

Comments

@malnoxon
Copy link

malnoxon commented Jan 6, 2025

I'm having trouble wrapping my head around the security implications of the new brk-multihub://www.mydomain.com SPA redirect URI needed for NAA.

Say we host our addin code on some shared service so while https://company1.mydomain.com/auth.html is guaranteed to be owned by us, https://company2.mydomain.com/otherpath.html may not be. Would adding brk-multihub://www.mydomain.com as an SPA redirect URI open us up to security risks from other users of the shared domain? (my assumption is that the answer is yes, but I'm struggling to understand exactly what they would be and would like to understand better before we do the work to move our code to a domain we fully control).
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP label Jan 6, 2025
@guodd1
Copy link

guodd1 commented Jan 7, 2025

Thank you for reaching out regarding the security implications of the brk-multihub://www.mydomain.com redirect URI.

Office Add-ins are standard web applications, and we are not security experts. As such, we are unable to provide guidance on the security design or risk assessment of your implementation. We recommend consulting your organization’s security team or a security specialist to evaluate your specific scenario and ensure it adheres to best practices.

If you encounter any issues directly related to the Office JS APIs or platform functionality, feel free to reach out, and we’ll be happy to assist.

Best regards,

@RuizhiSunMS RuizhiSunMS reopened this Jan 7, 2025
@RuizhiSunMS RuizhiSunMS added Area: add-in UI Issue related to UI features such as Fabric, dialogs, add-in commands, etc. and removed Area: add-in UI Issue related to UI features such as Fabric, dialogs, add-in commands, etc. labels Jan 7, 2025
@guoms1 guoms1 added Needs: author feedback Waiting for author (creator) of Issue to provide more info Type: programming question How-to question that should be posted to Microsoft Q&A and removed Needs: triage 🔍 New issue, needs PM on rotation to triage ASAP labels Jan 7, 2025
@guoms1 guoms1 self-assigned this Jan 7, 2025
@guoms1 guoms1 added the Resolution: question answered Question is answered by engineering team. label Jan 9, 2025
@davidchesnut
Copy link
Member

Hi @malnoxon,

The brk-multihub is an exact match and does not support wildcards. So if you use brk-multihub://www.mydomain.com then https://company1.mydomain.com would not be allowed to acquire tokens.

Cheers,
David

@davidchesnut davidchesnut removed the Needs: author feedback Waiting for author (creator) of Issue to provide more info label Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guoms1 guoms1

Labels
Resolution: question answered Question is answered by engineering team. Type: programming question How-to question that should be posted to Microsoft Q&A
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@malnoxon @davidchesnut @guodd1 @RuizhiSunMS @guoms1