OAuth 2.0 with Dynamics 365 CE Web API


OAuth can be defined as delegation or authorization protocol.

The resource owner who owns the resource is allowing an application to access that resource on their behalf without impersonating the resource owner.

The application first requests for the authorization from the resource owner and receives the token using which it can access the resource.

Here the token specifies the delegated rights that the client application will have.

Below are the main components that are involved in OAuth.

Resource Owner

In most of the cases it is the user who has access and can delegate access to the Web API. In Dynamics CRM context it can be the CRM User.

Protected Resource

Web API of Dynamics 365 CE

Authorization Server

Trusted by protected resource (Dynamics CRM) to issue Access Tokens to Clients, which the client can then use to access protected resource (Web API). Azure Active Directory (Azure AD) in this case. Resource Owner authenticates to the Authorization server, so the credentials are not exposed to the client.

Client

3rd party application that wants to use the Dynamics 365 Web API on behalf of the Resource Owner (CRM User).

There are several different kinds of grant type or flow that exist in OAuth for getting the access token.

  • OAuth 2.0 Authorization Grant Type

The below image wonderfully explains it in the context of Dynamic 365 Customer Engagement.

  • The resource owner (CRM User) opens the Client Application in the User Agent (Browser)
  • Client Application asks the resource owner to authorize at the authorization server.
  • Resource Owner authenticates and grants authorization to the Client. Authorization server gives authorization code to the Client.
  • Client uses this authorization code along with its own credentials to request access token from authorization server.
  • Client receives the access token that it uses to use the protected resource i.e. Web API.

As the user’s authenticates using his credentials with the authorization server, this information is not accessible to the client application, thus protecting user from sharing the credentials with the Client Application. Along with Access Token, we have Scope in OAuth 2.0 basically set of rights for the protected resource, which provides the mechanism for limiting the access granted to the client application. Also Refresh Token which is to be used when the access token has expired or stopped working. Client asks for the Refresh token from the Authorization Server and then uses this new token to access the protected resource.

Check out the below blog post for further details

https://nishantrana.me/2019/08/25/connect-to-dynamics-365-web-api-using-oauth-2-0-authorization-code-grant-type/

  • Implicit Grant Type

Implicit Grant Type is for the client applications that can’t keep any secrets from the browser, a JavaScript Application running completely inside the browser. So instead of authorization code, in implicit grant, the authorization server returns the access token.

Few limitations of this flow are first it can’t keep the secret as it will be available to the browser, also this flow cannot be used to get the refresh token as the session is limited to the browser context.

  • The client sends the request with request_type as token (instead of code in case of Authorization Grant) to the Authorization Endpoint of the Authorization Server.
  • The resource owner authenticates and authorizes the client.
  • The authorization server generates the token, attaching it to URI fragment of the response.

https://nishantrana.me/2019/08/27/connect-to-dynamics-365-web-api-using-oauth-2-0-implicit-grant-type-through-postman/

https://nishantrana.me/2019/08/28/connect-to-dynamics-365-web-api-using-oauth-2-0-implicit-grant-type-through-single-page-apps/

  • Client Credentials Grant Type

Client Credentials Grant Type is for scenario when we do not have any explicit resource owner (or user) like a back-end system or CRON job running on the server. As there is no user involved to delegate the authorization, client acts as the resource owner.

  1. The client application requests the access token directly from the token endpoint of the Authorization Server with grant_type as client_credentials.
  2. The authorization server issues the access token to the client.

https://nishantrana.me/2019/08/24/connect-to-dynamics-365-web-api-using-oauth-2-0-client-credentials/

  • Resource owner credentials grant type
  1. The client application prompts Resource Owner for username and password.
  2. Client application uses this information to request access token (with grant_type as password) from the Token Endpoint of the Authorization Server.

Here the disadvantages are that the credentials are exposed to the client application, and also the same is passed in plain text to the authorization server. This grant type is only recommended to be used for the legacy applications to bring them into the OAuth world, wherein they can work with access token, scopes etc. One good thing about this flow is that the password is exchanged only first time when requesting the access tokens, instead of every request.

https://nishantrana.me/2019/08/23/connect-to-dynamics-365-web-api-using-oauth-2-0-resource-owner-password-credential-ropc/

Decision Tree for the choosing the right grant type

Recommend read –

https://auth0.com/docs/api-auth/which-oauth-flow-to-use

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios#scenarios-and-supported-authentication-flows

https://debajmecrm.com/?s=oauth

Hope it helps..

Advertisements

Author: Nishant Rana

I love working in and sharing everything about Microsoft.NET technology !

8 thoughts on “OAuth 2.0 with Dynamics 365 CE Web API”

  1. Pingback: OAuth 2.0 with Dynamics 365 CE Web API - 365 Community
  2. Pingback: Connect to Dynamics 365 Web API using OAuth 2.0 – Authorization Code Grant Type – Nishant Rana's Weblog
  3. Pingback: An error occurred when processing the security tokens in the message:You are using Ws-Tust authentication which has been deprecated and no longer supported in your environment. Please use oAuth2.0 authentication in Dynamics 365 / CDS – Nishant Rana&
  4. Pingback: An error occurred when processing the security tokens in the message:You are using Ws-Tust authentication which has been deprecated and no longer supported in your environment. Please use oAuth2.0 authentication in Dynamics 365 / CDS ERP for Hong Kong SME
  5. Pingback: An error occurred when processing the security tokens in the message:You are using Ws-Tust authentication which has been deprecated and no longer supported in your environment. Please use oAuth2.0 authentication in Dynamics 365 / CDS – Nishant Rana&
  6. Pingback: Connect to Dynamics 365 Web API using OAuth 2.0 – Client Credentials – Nishant Rana's Weblog
  7. Pingback: An error occurred when processing the security tokens in the message:You are using Ws-Tust authentication which has been deprecated and no longer supported in your environment. Please use oAuth2.0 authentication in Dynamics 365 / CDS – Nishant Rana&
  8. Pingback: Fixed – An error occurred when processing the security tokens in the message:You are using Ws-Tust authentication which has been deprecated and no longer supported in your environment. Please use oAuth2.0 authentication in Dynamics 365 / CDS –

Please share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Power Spark

Power Spark By Shrangarika

Van Carl Nguyen

Exploration of Power Platform

My Trial

It is my experience timeline.

Power⚡Thomas

Sharing my knowledge and experience about the Microsoft Power Platform.

Arpit Power Guide

a guide to powering up community

Welcome to the Blog of Paul Andrew

Sponsored by Cloud Formations Ltd

Deriving Dynamics 365

Deriving Solutions and features on Power Platform/Dynamics 365

The CRM Ninja

Thoughts & musings from a Dynamics 365 Ninja!

buycrm.shop

D CRM Explorer

Learn about Microsoft Dynamics CRM Power Platform customization and implementation and other cool stuffs

Stroke // Jonas Rapp

I know pre-stroke. I will improve who I was.

Microsoft Dynamics CRM / 365

Balu Gajjala

Power Melange

Power Melange By Shalinee

Clavin's Blog

Power Automate - Power Apps - SharePoint Online - Azure - Nintex - K2 - Artificial Intelligence

Sat Sangha Salon

An Inquiry in Being

The Indoencers

The Influencers & Influences of Indian Music

Lets think Innovative

Kokulan's Blog

Monika Halan's blog

Hand's-free money management

D365 Demystified

A closer look at Microsoft Dynamics 365.

Microsoft Mate (msftmate) - Andrew Rogers

Experienced consultant primarily focused on Microsoft Dynamics 365 and the Power Platform

Knowhere365

Specific topics by Django Lohn on the whole Microsoft365 Stack

KKIT365

Manmit Rahevar's Blog

One Stop Destination for Microsoft Technology Solutions

MG

Naturally Curious

Microsoft Technologies and D365 Blogs by Prasanna Vadlamudi

Prasanna Vadlamudi

Brian Illand

Power Platform and Dynamics 365

Steve Mordue MVP

A Microsoft Business Applications MVP

Subwoofer 101

Bass defines your home theater

justanotherbuzzword.wordpress.com/

Neel Bhatt

SQLTwins by Nakul Vachhrajani

SQL Server tips and experiences dedicated to my twin daughters.

Codemender

Everything D365

Discovering Azure DevOps and D365 Business Applications

Tech Wizard

Lets do IT Spells

Jan Kodet

Minh Trung 's Weblog

stoovo

twobitetips.com/

Regina Properties For Sale | Russ Parry REALTOR® | RE/MAX Crown Real Estate

Russ Parry REALTOR®

mobiupdates.com

XRM Tricks (Power Platform & Dynamics CRM )

Power Platform & Dynamics CRM

CRM TIPS BY PRM

Mail to crmtipsbyprm@gmail.com for queries and suggestions

Microsoft Dynamics CRM Blog

nijos.dev

Giving back to the community what I have learned

Power Platform Learning

Learn and Share

xrm CRM Dynamics

Dynamics CRM Technical & Functional Info

SharePoint and other geeky stuff

Dynamics 365 Blogs - Explained in unique way

Sometimes you need to look at things from different perspective.

CRM Keeper

Dynamics 365 Customer Engagement, CRM, Microsoft CRM, Dynamics CRM