Is it possible to send user access token from Dynamics 365 online? - azure

We are about to use Dynamics 365 CRM online and we are new in this area.
...User is logged in using SSO.
Now to my questions...
Alternative 1
Our solution architect want us to use a LogicApp, triggered by create/update on the contact entity, to pick up the loggedin users user access token and send it as Authorization header with the call to our onprem rest service.
As far as I can see this is not possible as the LogicApp is running in its own process (kind of as a windows service). Am I wrong?
We have been looking into other different options instead;
Alternative 2
We have been looking at using a Plugin but fails to get hold of the user access token. It is possible, though, to get hold of the application access token but that is not good enough for my client. Is it even possible? If possible, does anyone have an example of how it is done?
Alternative 3
We have been looking at using Javascript to trigger a LogicApp using HTTP request but fails on CORS. Would the user access token magically be sent with the call? Is it even possible? If possible, does anyone have an example of how it is done?
Alternative 4
We have been looking at using JavaScript but fails to get hold of the user access token. Is it even possible to do? If possible, does anyone have an example of how it is done?
We know how to get the user access token in a console application after logging in with SSO. And we know how to get the user access token in an ASPNET MVC application. But now... this is Dynamics 365 CRM online.
We need the user access token because we want the user information to be sent to API.
Are there any other options? We have been looking into this for a week or so...

In case there is anyone else that is looking into picking up the users access token from D365 online to send it along with calls to an onprem rest service I can now confirm that it is not possible (at least not for the moment).
Also, I have found out that what my customer really want to do is a mix of authentication/authorization and tracing.

Could you give a try by including powerapp which will call onpremAPI

Related

Graph API - Automate Getting Emails (Delegated Permissions)

I'm developing a background application (no user interaction will be possible) and I want to automate getting all emails from certain mail boxes using the Graph API. I am facing some issues though:
If I use application permissions I get access to every mailbox in the organization which is not a good solution. Is it possible to limit the access to certain mailboxes? We are using On-premise Exchange and not Exchange Online so this link is not relevant (https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access).
It I use delegated permissions the app will need user interaction (as far as I can tell) but that will not be possible as it should run in the background. I am looking at the different flows for authentication but none of them really fit my need. Maybe it can be done with the Refresh Token Flow but it seems vulnerable. Is it possible to use delegated permissions without user interaction? If yes, what is the best approach?
Best regards
J
First, you couldn't use delegated permissions without user. Delegated permissions are used by apps that have a signed-in user present.
It seems Resource Owner Password Credentials(ropc) flow which allows an application to sign in the user by directly handling their password is the best choice for you. But it carries risks, please see the Important in the article to make sure you can use it. You should only use this flow when other more secure flows can't be used.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<client_id>
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername#myTenant.onmicrosoft.com
&password=<password>
&grant_type=password

Azure AD: Can I use an Authorization Code token to request an access token from a web service?

So, this is kind of related to the question here: How to enable CORS in an Azure App Registration when used in an OAuth Authorization Flow with PKCE?
I want to implement OAuth 2 for our single page JavaScript applications written in ExtJS.
The server-side is written in .NET (4.6.2 currently) and has both JSON services used by the UI (implementing Ext.Direct) and SOAP services used for client integration.
We currently handle our own authentication which works quite similarly to the authorization code flow really. We login with a client id, username and password to get a token generation token (TGT), and then use this to request a short-lived product service token (PST). Requesting a PST extends the life of the TGT. When the TGT expires the user has to re-authenticate.
For the OAuth 2 route I obviously would like the user interface to direct people at the login page for Azure, the user to login there, with whatever MFA they may require, and then come back to the UI as a known user.
I'm not bothered where I go for the product service token, although I think it makes sense to go to Azure if possible, since ultimately we'd like to move everyone in that direction I suspect.
So, I have wrapped some of the code above in an ExtJS class, and managed to retrieve a valid authorization token. So far so good.
When I then attempt to request an access token I hit the same issue with CORS that the poster of that question did.
I just cannot see how anyone can be using the Authorization Code with PKCE flow with Azure at the moment, since your application will never be hosted on the same domain used for login surely?!
Anyway. I'm wondering about my options.
I'm wondering now if I can post the authorization code that gets passed back to the UI (with the PKCE code perhaps) up to the web services and get the web services to handle the communication with Azure for the access tokens.
Does that stand more chance of success, or am I just going to hit the same problem there?
Implicit Flow is not an option. None of our clients will accept that.
What other options are there?
Is there a purely server-side to Azure option that I should be using, and worry about the UI afterwards?
Struggling to see a way forward!
Would appreciate any insights you may have.
Cheers,
Westy
Okay, after days of banging my head against the stupidity of Azure's implementation I stumbled upon a little hidden nugget of information here: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser#prerequisites
If you change the type of the redirectUri in the manifest from 'Web' to 'Spa' it gives me back an access token! We're in business!
It breaks the UI in Azure, but so be it.
I hope this helps someone else going through similar pain.
I'll also post on the linked thread :)

Scoped application request for Microsoft Graph, in NodeJS

Ive been researching the MS Graph API lately, and I'm running into a problem. My use case is that I want to read a certain mailbox's mail, and send mail for that mailbox. The mailbox is a non user related box, and is used as a service account for emails.
Ive found 2 possible flows for getting into that mailbox. The user authenticated flow, and the application (and admin consented) flow. For the application, I want to read the emails in the background in a NodeJS app, without user interaction.
When I look into the user consented flow, I find that to make it work the user HAS to log in atleast once, by hand, and consent to some stuff I want to do. I found this page, on how this works, and made it work in my NodeJS app. The problem is, when using this flow, I have to login BY HAND atleast once after starting my NodeJS app. Afterwards I can use the refresh token to refresh the access token, but I dont want to do the login by hand.
The second option, and most suitable option for my NodeJS app, is the application flow. I found this tutorial on how to do that, and I made it all work. I fetch a token, and that token grants me access to the box via the Graph API.
But using the application flow, I found that I have to have the roles (i.e.): "User.ReadAll, Mail.Read, Mail.Send". This gives my application rights to read and send mail FOR ALL users in the account.. Which is WAY too much overkill for my situation.
Now my question; Is there a way for me to use MS Graph, with the application authentication flow, but without having access to all users' mailboxes, only to my specific account I want to read?
Thanks in advance,
Caspar
While linking the documentation reference, I saw that I read over the most important footnote:
Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.
So it is possible using the application access policies.

I want to build a nodejs REST api to allow only maximum of two devices to have access to an account with same login credentials

For example if i have build a mobile application and using the nodejs REST api for accessing the backend.
I want to restrict the access of the application with same login credentials on a maximum of two devices.
For example me and my friend can have have access to the application with same login credentials but a third friend must not be allowed to have access to the account with same login credentials.
Can it be implemented with some kind of token. Can anyone please help me in understanding the concept to implement this.
Posting as an answer, since it does appear to be a solution.
It can be implemented with a token, but I think it's important here to maintain sessions. Also, you need to keep track of who is connected to what account, and from what device. You'll definitely need unique identifiers, and to know how many logins the account is already utilizing. If a user logs out, remove that device from the list until they login again. Read up on session management. I have had good success using PassportJS for stuff like this :)

OpenID Connect with multiple clients and SSO

I am creating this post after doing quite a lot of research on OpenID Connect myself including reading the specs and the more I read the more questions come up. I hope that someone is able to help me and clear my confusion.
The OpenID Connect specs are good but only contain very basic examples that do not match my usecase. Please let me try to explain my situation and then ask my question:
I try to use OIDC in conjuction with SharePoint Online and two applications. One is a webservice (back-end) that is supposed to interact with SharePoint and the other one is a simple single page application (front-end) running in the browser of the user that allows him to interact with the webservice. My IdentityProvider is Active Directory. The task of the webservice is to do some actions in user context on SharePoint but it is also supposed to allow the user to execute a limited set of actions that only an administrator of SharePoint would be allowed to do (e.g. I want to allow the user to create a SiteCollection but not delete it) For that reason I managed to register the webservice with SharePoint so that it receives a Special access_token which grants it admin access in SharePoint.
My thoughts so far:
1) If the user logs into SharePoint he receives an id_token and an access_token from the AD. He can use the id_token to log to SharePoint and interact with it directly. (I got this working)
2) I also want to authenticate the user in the front-end single page application because some users should not be able to make certain calls to the webservice and I want to hide these buttons from them in my application. For that I could use the id_token from step 1).
3) If my webservice should do something in the context of a user I can just pass the access_token that was created for that given user in step 1) to the webservice and then forward it to SharePoint.
4) If my webservice should execute a privileged function that the user is not allowed to do on his own, I want to use the Special access_token that the webservice already pocesses to make the call. In that case I have to authenticate the user at my webservice with his id_token from step 1) to make sure that I want to allow this request of his.
My question:
Does every client have to make a request for his own id/access_token? (These different flows are described in the OIDC and OAuth specs here and here) and will this still be Single-Sign-On?
Or can I just generate a single id_token and access_token for a user in step 1) and then pass these on to all clients that need them?
Thank you very much in advance!!

Resources