OAuth 2.0 with Dynamics 365 CE Web API

OAuth can be defined as delegation or authorization protocol.

The resource owner who owns the resource is allowing an application to access that resource on their behalf without impersonating the resource owner.

The application first requests for the authorization from the resource owner and receives the token using which it can access the resource.

Here the token specifies the delegated rights that the client application will have.

Below are the main components that are involved in OAuth.

Resource Owner

In most of the cases it is the user who has access and can delegate access to the Web API. In Dynamics CRM context it can be the CRM User.

Protected Resource

Web API of Dynamics 365 CE

Authorization Server

Trusted by protected resource (Dynamics CRM) to issue Access Tokens to Clients, which the client can then use to access protected resource (Web API). Azure Active Directory (Azure AD) in this case. Resource Owner authenticates to the Authorization server, so the credentials are not exposed to the client.


3rd party application that wants to use the Dynamics 365 Web API on behalf of the Resource Owner (CRM User).

There are several different kinds of grant type or flow that exist in OAuth for getting the access token.

  • OAuth 2.0 Authorization Grant Type

The below image wonderfully explains it in the context of Dynamic 365 Customer Engagement.

  • The resource owner (CRM User) opens the Client Application in the User Agent (Browser)
  • Client Application asks the resource owner to authorize at the authorization server.
  • Resource Owner authenticates and grants authorization to the Client. Authorization server gives authorization code to the Client.
  • Client uses this authorization code along with its own credentials to request access token from authorization server.
  • Client receives the access token that it uses to use the protected resource i.e. Web API.

As the user’s authenticates using his credentials with the authorization server, this information is not accessible to the client application, thus protecting user from sharing the credentials with the Client Application. Along with Access Token, we have Scope in OAuth 2.0 basically set of rights for the protected resource, which provides the mechanism for limiting the access granted to the client application. Also Refresh Token which is to be used when the access token has expired or stopped working. Client asks for the Refresh token from the Authorization Server and then uses this new token to access the protected resource.

Check out the below blog post for further details


  • Implicit Grant Type

Implicit Grant Type is for the client applications that can’t keep any secrets from the browser, a JavaScript Application running completely inside the browser. So instead of authorization code, in implicit grant, the authorization server returns the access token.

Few limitations of this flow are first it can’t keep the secret as it will be available to the browser, also this flow cannot be used to get the refresh token as the session is limited to the browser context.

  • The client sends the request with request_type as token (instead of code in case of Authorization Grant) to the Authorization Endpoint of the Authorization Server.
  • The resource owner authenticates and authorizes the client.
  • The authorization server generates the token, attaching it to URI fragment of the response.



  • Client Credentials Grant Type

Client Credentials Grant Type is for scenario when we do not have any explicit resource owner (or user) like a back-end system or CRON job running on the server. As there is no user involved to delegate the authorization, client acts as the resource owner.

  1. The client application requests the access token directly from the token endpoint of the Authorization Server with grant_type as client_credentials.
  2. The authorization server issues the access token to the client.


  • Resource owner credentials grant type
  1. The client application prompts Resource Owner for username and password.
  2. Client application uses this information to request access token (with grant_type as password) from the Token Endpoint of the Authorization Server.

Here the disadvantages are that the credentials are exposed to the client application, and also the same is passed in plain text to the authorization server. This grant type is only recommended to be used for the legacy applications to bring them into the OAuth world, wherein they can work with access token, scopes etc. One good thing about this flow is that the password is exchanged only first time when requesting the access tokens, instead of every request.


Decision Tree for the choosing the right grant type

Recommend read –




Hope it helps..

Connect to Dynamics 365 Web API using OAuth 2.0 – Implicit Grant Type (through Postman)

In the previous post we covered below grant type

here we’d be looking at the Implicit Grant Type.

Implicit Grant Type is for the “Public Clients”, client application that cannot keep the Client Secret, HTML or Angular app that communicates from the browser (through JavaScript) and have no server involved, therefore used for Single Page Application (SPA).

Instead of getting the authorization code from the Authorization Server like in case of Authorization Grant and then using the authorization code (along with Client Secret) to get the access token. In case of Implicit Grant, the client application directly requests for the access token from the Authorization Endpoint.

We need to pass the below details

response_type token
client_id Application ID
redirect_uri http://%5Blocalhost%5D

to the Authorization URL à


The redirect_uri must match against the one registered, this way the Authorization Server, makes sure that there are no unauthorized client applications requesting the token.

Some of the drawbacks are that the Access Tokens are exposed to resource owner in the URL and also there is no validation that the access token is meant for that particular client.

To get started à

Register your application with the Azure Active Directory tenant. Copy the Client Id.

For Redirect URI we will set the URL of the single page application which we will be developing later. So specify any valid URL there.

Enable the application for the Implicit Flow by setting oauth2AllowImplicitFlow as true from Manifest of the application.

Or from the Authentication section.

From Postman à

Go to Authorization tab and click on Get New Access Token button

Specify Grant Type as implicit, along with CallBack Url i.e. redirect_uri and the client id.

Here for the Auth URL, we should have the resource query parameter specified in the Authorization Endpoint which refers to our Dynamics CE Organization.


Click on Request Token to get the access token.

Inside Fiddler: We’d see the following parameter being passed to the authorization endpoint.

Clicking on Request Token will open the popup for us to login and provide the consent.

The access token à

Let us try changing the Callback Url and send the request again

We’d get the below error

As was mentioned earlier –

The redirect_uri must match against the one registered in the application, this way the Authorization Server, makes sure that there are no unauthorized client applications requesting the token.

Hope it helps..