OAuth 2.0 with Dynamics 365 CE Web API


OAuth can be defined as delegation or authorization protocol.

The resource owner who owns the resource is allowing an application to access that resource on their behalf without impersonating the resource owner.

The application first requests for the authorization from the resource owner and receives the token using which it can access the resource.

Here the token specifies the delegated rights that the client application will have.

Below are the main components that are involved in OAuth.

Resource Owner

In most of the cases it is the user who has access and can delegate access to the Web API. In Dynamics CRM context it can be the CRM User.

Protected Resource

Web API of Dynamics 365 CE

Authorization Server

Trusted by protected resource (Dynamics CRM) to issue Access Tokens to Clients, which the client can then use to access protected resource (Web API). Azure Active Directory (Azure AD) in this case. Resource Owner authenticates to the Authorization server, so the credentials are not exposed to the client.

Client

3rd party application that wants to use the Dynamics 365 Web API on behalf of the Resource Owner (CRM User).

There are several different kinds of grant type or flow that exist in OAuth for getting the access token.

  • OAuth 2.0 Authorization Grant Type

The below image wonderfully explains it in the context of Dynamic 365 Customer Engagement.

  • The resource owner (CRM User) opens the Client Application in the User Agent (Browser)
  • Client Application asks the resource owner to authorize at the authorization server.
  • Resource Owner authenticates and grants authorization to the Client. Authorization server gives authorization code to the Client.
  • Client uses this authorization code along with its own credentials to request access token from authorization server.
  • Client receives the access token that it uses to use the protected resource i.e. Web API.

As the user’s authenticates using his credentials with the authorization server, this information is not accessible to the client application, thus protecting user from sharing the credentials with the Client Application. Along with Access Token, we have Scope in OAuth 2.0 basically set of rights for the protected resource, which provides the mechanism for limiting the access granted to the client application. Also Refresh Token which is to be used when the access token has expired or stopped working. Client asks for the Refresh token from the Authorization Server and then uses this new token to access the protected resource.

Check out the below blog post for further details

https://nishantrana.me/2019/08/25/connect-to-dynamics-365-web-api-using-oauth-2-0-authorization-code-grant-type/

  • Implicit Grant Type

Implicit Grant Type is for the client applications that can’t keep any secrets from the browser, a JavaScript Application running completely inside the browser. So instead of authorization code, in implicit grant, the authorization server returns the access token.

Few limitations of this flow are first it can’t keep the secret as it will be available to the browser, also this flow cannot be used to get the refresh token as the session is limited to the browser context.

  • The client sends the request with request_type as token (instead of code in case of Authorization Grant) to the Authorization Endpoint of the Authorization Server.
  • The resource owner authenticates and authorizes the client.
  • The authorization server generates the token, attaching it to URI fragment of the response.

https://nishantrana.me/2019/08/27/connect-to-dynamics-365-web-api-using-oauth-2-0-implicit-grant-type-through-postman/

https://nishantrana.me/2019/08/28/connect-to-dynamics-365-web-api-using-oauth-2-0-implicit-grant-type-through-single-page-apps/

  • Client Credentials Grant Type

Client Credentials Grant Type is for scenario when we do not have any explicit resource owner (or user) like a back-end system or CRON job running on the server. As there is no user involved to delegate the authorization, client acts as the resource owner.

  1. The client application requests the access token directly from the token endpoint of the Authorization Server with grant_type as client_credentials.
  2. The authorization server issues the access token to the client.

https://nishantrana.me/2019/08/24/connect-to-dynamics-365-web-api-using-oauth-2-0-client-credentials/

  • Resource owner credentials grant type
  1. The client application prompts Resource Owner for username and password.
  2. Client application uses this information to request access token (with grant_type as password) from the Token Endpoint of the Authorization Server.

Here the disadvantages are that the credentials are exposed to the client application, and also the same is passed in plain text to the authorization server. This grant type is only recommended to be used for the legacy applications to bring them into the OAuth world, wherein they can work with access token, scopes etc. One good thing about this flow is that the password is exchanged only first time when requesting the access tokens, instead of every request.

https://nishantrana.me/2019/08/23/connect-to-dynamics-365-web-api-using-oauth-2-0-resource-owner-password-credential-ropc/

Decision Tree for the choosing the right grant type

Recommend read –

https://auth0.com/docs/api-auth/which-oauth-flow-to-use

https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios#scenarios-and-supported-authentication-flows

https://debajmecrm.com/?s=oauth

Hope it helps..

Advertisements

Author: Nishant Rana

I love working in and sharing everything about Microsoft.NET technology !

8 thoughts on “OAuth 2.0 with Dynamics 365 CE Web API”

Please share your thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CRM for You and Me

Customer Relationship Mgt App for the Professional

D CRM Explorer

Learn about Microsoft Dynamics CRM Power Platform customization and implementation and other cool stuffs

Stroke // Jonas Rapp

I know pre-stroke. I will improve who I was.

Power Melange

Power Melange By Shalinee

Clavin's Blog

Power Automate - Power Apps - SharePoint Online - Azure - Nintex - K2 - Artificial Intelligence

Sat Sangha Salon

An Inquiry in Being

The Indoencers

The Influencers & Influences of Indian Music

Monika Halan's blog

Hand's-free money management

D365 Demystified

A closer look at Microsoft Dynamics 365.

Microsoft Mate (msftmate) - Andrew Rogers

Experienced consultant primarily focused on Microsoft Dynamics 365 and the Power Platform

Knowhere365

Specific topics by Django Lohn on the whole Microsoft365 Stack

Manmit Rahevar's Blog

One Stop Destination for Microsoft Technology Solutions

MG

Naturally Curious

Brian Illand

Power Platform and Dynamics 365

Steve Mordue MVP

A Microsoft Business Applications MVP

Subwoofer 101

Bass defines your home theater

SQLTwins by Nakul Vachhrajani

SQL Server tips and experiences dedicated to my twin daughters.

Everything D365

Discovering Azure DevOps and D365 Business Applications

Tech Wizard

Lets do IT Spells

Two Bite Tips

Valuable Tips To Grow Your Business

XRM Tricks (Power Platform & Dynamics CRM )

Power Platform & Dynamics CRM

CRM TIPS BY PRM

Mail to crmtipsbyprm@gmail.com for queries and suggestions

nijos.dev

Giving back to the community what I have learned

xrm CRM Dynamics

Dynamics CRM Technical & Functional Info

Dynamics 365 Blogs - Explained in unique way

Sometimes you need to look at things from different perspective.

CRM Keeper

Dynamics 365 Customer Engagement, CRM, Microsoft CRM, Dynamics CRM

EVOLVED365

Step into the world of a Dynamics 365 Consultant

Dianamics PCF Lady

Diana & Dynamics 365 & Power Platform

Sara Lagerquist

No Code Customization Concepts

innovativeaj

developer, designer, writer, fun loving, patriotic, humble and a sweet person inside out :) love and respect people who have a great sense of humor.

Temmy Wahyu Raharjo

Dreaming to be a clean coder and TDD minded programmer.

Transform 365

We blog about problems we face and code we write to help others

%d bloggers like this: