Flowing user credentials from Dynamics CRM to Web API - azure

Is it possible to flow the user credentials from a CRM plug-in to a web API hosted in Azure?
I'm working on a project where a Dynamics CRM plug-in will make a call to a custom ASP.Net Core 2.0 Web API hosted in the same Azure tenant.
I have no Dynamics CRM experience; we have a team member who has done a lot of CRM integration, but he's always used a service account to connect to the other application.
I'm trying to avoid that.
Ideally, this web API would perform some work using the credentials of the CRM user, since the user's credentials will be valid in both CRM and the web API.
I would really like to have the user's credentials (such as email) come from a trusted authority and not just passed by the caller. I already have code that pulls the user's email (for example) from the user's Claims (from another part of the project).
In my perfect scenario, the plug-in code would pass the user's OpenID Connect to the web API; but I've found nothing that indicates that CRM supports OpenID Connect.
I have seen articles that talk about calling CRM from an external application using Oauth, but nothing that shows CRM calling a service with any kind of token-based authentication.
A fallback would be to use an OAuth bearer token, and have the plug-in pass the user's information to the web API.
Does anyone have any information on how to flow the CRM user's credentials to a web API call, or acquiring a bearer token to pass to a web API?
Thanks

Related

Authenticate SharePoint user in external API

I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.

Azure AD authentication for multiple domains

I have a cordova application which I am authenticating using azure AD cordova plugin and it all works fine. But now I am integrating services published in another domain and I am unable to authenticate these services using the mobiletoken generated after authentication. Can someone guide me how to secure multiple domain APIs published as Azure web APIs and use token to access the secured APIs.
I have tried to modify the secured settings in azure portal of one of the APIs by including reply URLs for both the APIs
When I include the token in the header of the ajax requests going into 2nd domain endpoints, I just get "unauthorized" error.
It sounds like you're able to get an access token in a Cordova setting and you're having issues accessing multiple web apis after the user has logged in.
The authentication protocol I would suggest you utilize is the on-behalf of flow which is doocumented here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Per the summary :
The OAuth 2.0 On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform, on behalf of the user.
This is to get a new access token with the right audience to gain access to web api 2.

SP Online REST API Issue when uses AZURE Access token

My requirement is described below.
User uploads the document through web-app and document saves in to shared location.
Application service (cron job or server code) , selects the documents and extracts the details.
Cron job send the details to SharePoint rest api which is protected by azure AD. (Oauth protocol)
I have a valid AZURE client ID and Secret ID which has application level access permission. I got access token by using AZURE client ID and Secret ID from AZURE AD with help of simple JAVA code but am getting following error when i call sharepoint online REST service using Oauth access token.
Error : {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
What does it mean? Can anyone help me resolve the issue ?
As SharePoint Online has strict safety standards, authentication for working with REST API consists of three steps:
1.Get the security token from Microsoft authentication portal.
2.Get the cookies from the SharePoint Online server.
3.Get the signature for requests to the SharePoint Online server.
More information is here:
http://www.wave-access.com/public_en/blog/2015/june/23/java-service-integration-with-sharepoint-online-via-rest-api.aspx
Access Office 365 from JAVA, we can use Office 365 SDKs for Java.
https://github.com/OfficeDev/Office-365-SDK-for-Java

Dynamics crm 365 get azure adal authorization code

I have a scenario is one where the user has signed into CRM and triggers some functionality that calls a third party API to retrieve data that is not in CRM.
This API is a registered application in the Same Azure Active Directory as where the CRM resides. CRM single sign on is enabled.
I am trying to find an example of C# code which retrieves the authorization code via a CRM plugin. So far, I have managed to retrieve the token using a client secret as described in this article:
Retrieving token without the ADAL client library
I have implemented a basic call with the parameters defined in this article:
Requesting an Authorization code
But I need to pass the user session to make it work. It currently throws an error
A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).
Any help appreciated.
AFAIK, it is not suitable to interact with Azure AD using the Oauth code grant flow in the Microsoft Dynamics 365 plug-in since it required users interaction. And it is not able to send the session in the Microsoft Dynamics 365 plug-in to authenticate using ADAL library.
If you only want to access the Microsoft Dynamics 365 organization service in the CRM plug-in, there is no need to use the ADAL library to authenticate again.
It is only required that plug-in code create an instance of the service through the ServiceProvider.GetService method.
// Obtain the organization service reference.
IOrganizationServiceFactory serviceFactory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof(IOrganizationServiceFactory));
IOrganizationService service = serviceFactory.CreateOrganizationService(context.UserId);
More detail about context of Microsoft Dynamics 365 Plug-in development, please refer the link below:
Understand the data context passed to a plug-in

Microsoft Dynamics CRM OAuth Integration

I need to integrate my web application (multi-tenant SaaS product) into my users' Dynamics CRM so it can pull their data.
I have learnt that Azure Active Directory apps can take care of such integrations (OAuth) but I cannot figure out how my users can grant my app access to their Dynamics CRM data.
Apparently, every user of mine should create an Azure AD app (with access to their Dynamics CRM account) and then my Azure AD app should be authorised to make requests on behalf of their AD app.
I have no idea how I can make this process work.
Any advice would be much appreciated.
For Dynamics CRM versions 2016 and 365, data can be accessed via the Web API.
When using the Web API by sending, for example, an HTTP GET request, a request header must be present in the format: { 'Authorization': 'Bearer' + token } where token is an OAuth 2 Bearer Token.
To obtain a token, I'd suggest using the Azure AD authentication Library (ADAL).
To authenticate with Dynamics CRM via ADAL, you'll have to register your web application under Azure Active Directory along with Dynamics CRM. Registering your app will give you a client ID which is required by the OAuth 2.0 authorisation flow. This post is very useful.
If your app will have administrative privilege, then it will have access to other user's data. There are several things you should make sure of when configuring OAuth, check this:
http://phuocle.net/crm/dynamics-365-online-s2s-authentication-full-explain.aspx
so to highlight the most important things from my perspective:
you should have a special user for handling that
this user should not have any license assigned - so you have to sign a license for him, a take it back after done configuring him
user should have a custom role (can be role copied from System Administrator)

Resources