Menu
I'm looking for the correct, secure way to store credentials for a third party API in an Outlook add-in. This overview of the different storage options only says not to store credentials in Settings, but not where to put them, so I assumed the RoamingSettings would be okay. Then I ran into this page with information about RoamingSettings, where it says that is not the right location either.
The question then becomes: What is the right place? Should I build my own storage solution and store/encrypt the credentials in a file or cookie? That does not feel very secure either, since we are talking about what is basically a web app running in an Iframe.
206
asked Jan 29 '16 10:01
Click Start, click Control Panel, and then click Credential Manager. If View by is set to Category, click User Accounts first, and then click Credential Manager. Locate the set of credentials that has Outlook in the name.
Open Outlook, and on the File tab, choose Account Settings > Account Settings. On the Data Files tab, choose the Outlook Data File (. pst) for which you want to create or change a password, and then choose Settings. Choose Change password.
You may find the Outlook Add-in logs in the following folder where <username> is the name of your system account: C:\Users\<username>\AppData\Local\Programs\Aspera\Add-In for Microsoft Outlook.
In Outlook, click Get Add-ins from the Home tab on the ribbon. You can also select File > Manage Add-ins, which will take you to Outlook on the web and open the Add-Ins for Outlook dialog there. From the Add-Ins dialog, type the name of the add-in you want to add to Outlook. For example, Webex, Giphy, or Salesforce.
I assume you cannot implement another authorization scheme (token based, cookies etc.) for your API and you are stuck with Basic Authentication and its issues. If you are using ASP.NET, with all the samples available it could be very easy to add another authentication scheme that is more adapted to web clients (such as Office web add-ins).
Having said that, for me your best option is to use HTML5 storage or cookie storage (if not implemented by browser) to store your credentials.
The fact that the app is iFramed is not really a big deal. Those storages (HTML5: sessionStorage/localStorage) rely on domains separation which means that the storage slots where you will put the credentials will not be be visible by other apps, even those living on the parent iFrame.
You may also consider the fact that you may serve the web add-ins and the apis from the same domain. They are both web applications!
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
