The Xakia authentication system implements OpenID Connect (and OAuth 2) standards. The Outlook add-in and main application implement an Authorization Code flow with PKCE.
From a user’s perspective, the following occurs:
The user opens the App/Outlook add-in
If the user is not authenticated, the auth flow begins, redirecting the user to the Xakia global auth service
The user enters their email and the global auth service does a realm discover to determine the IDP for the user
The user is redirected to the downstream IDP, where they authenticate
Upon successful authentication, the IDP calls back to Xakia global auth service who issues a token
A call back to the App/Outlook add-in then completes the auth flow with the bearer token
Xakia implements all the standard security mechanisms recommended for SPAs such as CORS and content security policies to enforce security.