Authentication possibilties from plugins or activities code

(0) Share

Report

Posted on by SergeyT

310

Hi guys.

We are working on integrating CRM online with custom web api services. There is some quite sensitive data flying between them.

We use https and basic authentication with store credentials in custom configuration entity. We aren't really happy with storing credentials inside CRM for obvious security consideration.

What we would like to use is some oauth\jwt S2S approach from plugins\activities. Looks like MS has already some S2S token authentication for integration with Sharepoint, Exchange etc, but that S2S authentication isn't available for custom code.

There are plenty examples of how to use S2S auth to access CRM from custom services by registering application user in Azure AD. But I couldn't really find any way to acquire any token or identity inside plugins\activities code. Something like:

var tokenService = executionContext.GetExtension<ITokenService>();
var token = tokenService.GetOAuthToken();

On receiving side I would validate that token come from specific tenant Azure AD.

Could you share your experience for authenticating CRM calls in your custom services?

*This post is locked for comments

All responses (4)

Answers (0)

pksorensen 10 on at

Like (0)

Report

RE: Authentication possibilties from plugins or activities code

Hi Sergey - did you ever find a better solution. I am exploring the same my self.
PranavShroti 4,510 on at

Like (0)

Report

RE: Authentication possibilties from plugins or activities code

I should have made myself clear in the first go.

App Id and Secret are not hardcoded in assembly, thats not a good practice, what we have done is- kept these in a config file and they are getting picked up from there.

Regards

Pranav
SergeyT 310 on at

Like (0)

Report

RE: Authentication possibilties from plugins or activities code

>3. Consuming App Id and Secret Key

Basically it sounds like you have hardcoded yours secrets into assembly. I don't like this approach for several reasons. Secrets must be checked in or stored in build configuration. Secrets are same for all environments, otherwise there are different build for different environments. Pluginassembly entity may be queried with content attribute and than easily disassembled.

If you store your app id and secret key in entity usually it isn't secured enough. It should be allowed to read it only from SYSTEM user.

But that brings us back to stored secret.

In on-prem Dynamics 365 usually runs under service account who is service principal for Dynamics 365 services and we can manage permissions based on this.

Can we get something like this using Dynamics 365 online and Azure AD and have specific principal inside plugins and activities? I see MS guys has that abilities for integration with their services. It would be great if they exposed that kind of service for ISV developers.
Suggested answer

PranavShroti 4,510 on at

Like (0)

Report

RE: Authentication possibilties from plugins or activities code

Hi

We have done it in a little different way, using custom code which is hosted on Azure as web service.

1. We have created Azure App for "AnyThing"

2. Created Secret Key for the App

3. Consuming App Id and Secret Key

4. Creating HttpClient request

5. Calling client.PostAsync method.

Regards,

Pranav

If found useful, please mark the answer as verified

Community site session details

Authentication possibilties from plugins or activities code

Helpful resources

Quick Links

Announcing Our 2025 Season 1 Super Users!

Vahid Ghafarpour – Community Spotlight

Tip: Become a User Group leader!

Leaderboard

Featured topics

Product updates

Community site session details

Authentication possibilties from plugins or activities code

Helpful resources

Quick Links

Announcing Our 2025 Season 1 Super Users!

Vahid Ghafarpour – Community Spotlight

Tip: Become a User Group leader!

Subscribe to this forum!

Select categories

Leaderboard

Featured topics

Product updates