Understanding OAuth and App Registration for Secure API Access in Business Central

 

Introduction: The Importance of OAuth in Modern API Security

• [02:37 ~ 04:07]
  In the evolving landscape of cloud services and APIs, OAuth has become a critical authorization framework enabling secure, delegated access to resources. This session, presented by Aaron John Kaufman, a seasoned technical consultant in the Dynamics NAV/Business Central ecosystem, focuses on the transition to OAuth in Microsoft environments and its significance. The urgency stems from Microsoft’s impending deadline to move to OAuth by October 1st, emphasizing the need to understand and implement OAuth properly to maintain secure access to Business Central APIs and related services.

• Key Vocabulary and Concepts:

  • OAuth (Open Authorization): A standard protocol allowing third-party applications limited access to HTTP services without exposing user credentials.
  • Access Token: A security token issued by an authorization server granting access rights to a client application.
  • App Registration: The process of registering an application in Azure Active Directory to enable OAuth interactions.
  • Resource Server: The server hosting protected data or APIs (e.g., Business Central).
  • Client Application: External app requesting access to resources on behalf of a user.
  • Azure Active Directory (Azure AD): Microsoft’s cloud-based identity and access management service acting as the authorization server.

---

Section 1: The OAuth Ecosystem and Its Roles

• [06:04 ~ 10:37]
  OAuth orchestrates interactions among four key roles:

1. Resource Server: Holds data (Business Central exposing APIs).
2. Client Application: External app requesting resource access.
3. Resource Owner: End-user who owns the data and grants access.
4. Authorization Server: Azure Active Directory, managing app registrations, permissions, and token issuance.

• Process Overview:

  • The client app must be registered in Azure AD and request user consent.
  • The user authenticates and grants permissions.
  • Azure AD issues an access token to the client app.
  • The client app uses the token to call Business Central APIs, which validate and authorize the request.

• Important Distinctions:

  • App Registration defines the application’s identity, redirect URIs, secrets, and required API permissions.
  • Service Principal (Enterprise Application): An instance of an app registration representing the app in a specific Azure AD tenant, storing granted permissions.

• Single Tenant vs. Multi-Tenant:

  • Single Tenant: App and service principal live within one Azure AD tenant.
  • Multi-Tenant: App registration remains in the home tenant, but service principals are created in other tenants upon consent, allowing cross-tenant access.

---

Section 2: App Registration and Permissions

• [10:37 ~ 19:40]
  App registration in Azure AD involves specifying:

• Application metadata (name, logo, publisher).

• Redirect URIs to handle OAuth callbacks.

• Secrets (passwords) or certificates used for authentication.

• API permissions: required permissions (declared by app registration) vs. granted permissions (stored at service principal level after consent).

• Permissions Types:

  • Scopes (Delegated Permissions): Allow an app to act on behalf of a user.
  • Application Roles: Allow app-only access without a user context (service-to-service).

• The Business Central app registration exposes APIs with scopes like user_impersonation and application roles like api.readwrite.all.

• Permissions must be explicitly granted, either by user consent or admin consent, depending on the permission type and organizational policies.

---

Section 3: The Consent Flow and Security Considerations

• [31:06 ~ 36:08]

• Consent Flow: When an application requests access to user data, users or admins must grant consent.

  • User consent: Grants permission for individual user resources.
  • Admin consent: Grants permission for the entire organization, removing consent prompts for all users.

• Applications can request consent dynamically or pre-register required permissions statically in Azure AD.

• Security nuances:

  • Secrets (passwords) in app registrations act as credentials but have limited lifetime (max 24 months, often recommended shorter).
  • Certificates are recommended over secrets for enhanced security as they do not travel over the network.
  • Tokens (access and refresh) must be carefully managed to avoid leaks.
  • Tokens are JSON Web Tokens (JWTs), base64 encoded, and signed to ensure integrity and authenticity.

---

Section 4: The OAuth Authorization Flows Explained

• [43:08 ~ 48:45]
  Two primary OAuth flows relevant to Business Central:

1. Authorization Code Grant Flow:

   • Used for delegated access where a user logs in interactively.
   • User authenticates via a browser, grants permissions, and an authorization code is returned via a redirect URI.
   • The app exchanges this code for an access token to call APIs on behalf of the user.
   • Requires a redirect URI and often a client secret if the app is confidential (web apps).
   • Suitable for web apps and apps with user interaction.

2. Client Credentials Flow:

   • Used for app-only access without user interaction (service-to-service).
   • The app authenticates directly with its client ID and secret or certificate.
   • Receives an access token representing the app itself, not a user.
   • Requires pre-consent by an admin to grant application permissions.
   • Commonly used for background jobs, Azure Functions, or external portals integrating with Business Central.

---

Section 5: Deep Dive into Authorization Code Grant Flow

• [48:53 ~ 59:56]

• The detailed flow involves two key Azure endpoints:

  • /authorize endpoint for user login and consent (browser-based).
  • /token endpoint for exchanging the authorization code for an access token (API call).

• The redirect URI is crucial as it is the location where Azure AD sends the authorization code after login. This URI must be controlled by the client application to securely receive the code.

• The authorization code is short-lived (valid for 10 minutes).

• The token request includes the client ID, secret, authorization code, redirect URI, and scope.

• The access token received contains all necessary claims including user identity, tenant ID, scope, and expiration.

• Tokens are JWTs that can be decoded to inspect claims but are cryptographically signed to prevent tampering.

---

Section 6: Configuring App Registration in Azure Portal – Demo Insights

• [01:03:18 ~ 01:19:48]
• Demo walkthrough of creating an app registration named “bc tag days 22 demo” with:
  • Single tenant option chosen due to simplicity and lack of verified publisher status.
  • Redirect URI configured for a web app (localhost for demo purposes).
  • Creation of client secret for confidential client authentication.
• Explanation of confidential vs. public clients:
  • Web apps (confidential clients) can keep secrets securely on the server.
  • Desktop/mobile apps (public clients) cannot keep secrets and rely on other safeguards.
• Demonstrated user login flow, consent prompt, capturing authorization code from redirect URI, exchanging it for access token, and using the token to call Business Central API successfully.
• Emphasized importance of precise redirect URI matching in the token exchange step.

---

Section 7: Client Credentials Flow and Application Users

• [01:20:32 ~ 01:27:52]
• Demonstrated adding application permissions (e.g., api.readwrite.all) to app registration and granting admin consent.
• Obtained access token using client credentials flow with client ID and secret.
• Highlighted the need to create an application user in Business Central linked to the app registration for the token to be accepted by Business Central.
• Explained that this user is not a regular user but a service principal representing the app.
• Recommended best practices:
  • Use certificates over secrets for production environments due to security advantages.
  • Avoid storing secrets in code or insecure places.
• Mentioned ongoing work to automate app registration and permission management using AL code and Graph API.

---

Section 8: Managing Tokens and Permission Types

• [01:35:50 ~ 01:39:08]
• Access tokens typically expire after about 60 minutes; refresh tokens valid up to 90 days allow seamless token renewal without user interaction.
• However, tenant policies (e.g., forced interactive login every two weeks) can invalidate refresh tokens, complicating unattended background processes.
• Tokens should be stored only in memory or securely, avoiding persistent storage in setup tables to minimize security risk.
• Dynamic permissions (requested at runtime) differ from static permissions (pre-registered in app registration), providing flexibility and least privilege access.

---

Section 9: Q&A and Best Practices

• [01:29:23 ~ 01:37:05]
• Recommended multiple app registrations for multi-customer or multi-tenant scenarios to isolate access and reduce risk in case of secret leaks.
• Dynamic permissions allow requesting only the necessary scopes at runtime, giving granular control and user choice.
• Reusing app registrations is acceptable when multiple applications require similar permissions and are under the same control.
• Certificate-based authentication is the preferred secure method for confidential clients over client secrets.
• Microsoft’s MSAL (Microsoft Authentication Library) simplifies OAuth handling in code, abstracting much of the complexity.

---

Conclusion: Key Takeaways and Implications

• OAuth is essential for secure, delegated API access in Microsoft Business Central and other cloud services, driven by compliance and security needs.
• Understanding the OAuth roles, app registration, permission models, and authorization flows is critical to correctly implementing OAuth integrations.
• Proper management of app registrations, service principals, permissions, and tokens ensures secure access control and user experience.
• The authorization code grant flow is best for user-interactive scenarios, while the client credentials flow suits backend, service-to-service access.
• Security best practices emphasize certificates over secrets, least privilege through scoped permissions, and careful token lifecycle management.
• Tools and libraries, such as MSAL, and automation via AL code and Graph API, can simplify complex OAuth integrations.
• Organizations should plan for token renewal, consent management, and multi-tenant scenarios to ensure robust and scalable OAuth implementations.

---

Advanced Bullet-Point Summary

• OAuth Overview & Importance

  • OAuth enables secure, delegated access to APIs without sharing user credentials.
  • Microsoft mandates OAuth for Business Central by October 1st, driven by security concerns.
  • Tokens must be handled securely; even Microsoft’s own token storage has vulnerabilities.

• OAuth Roles and Architecture

  • Four roles: Resource Server (Business Central), Client Application, Resource Owner (User), Authorization Server (Azure AD).
  • App registrations define app identity and permissions; service principals instantiate apps per tenant with granted permissions.
  • Single vs. Multi-tenant apps determine app reach across directories.

• App Registration Details

  • Contains metadata, redirect URIs, secrets/certificates, declared permissions.
  • Permissions: Required (declared) vs. Granted (after consent).
  • Supports exposing APIs with scopes and roles for fine-grained access control.

• Consent Management

  • User consent grants access for individual accounts; admin consent can cover entire organizations.
  • Admin consent necessary for application roles (app-only access).
  • Consent flow complexity and security considerations underscore importance of understanding OAuth.

• OAuth Flows

  • Authorization Code Grant: User-interactive, obtains delegated access tokens, involves browser redirect and secret exchange.
  • Client Credentials: Non-interactive, app-only access, requires admin consent, suited for background services.

• Tokens and Security

  • Access tokens are JWTs containing user, tenant, and permission claims, signed for integrity.
  • Tokens expire ~60 minutes; refresh tokens extend access but depend on tenant policies.
  • Secrets act as passwords; certificates recommended for higher security.

• Demo Learnings

  • App registration setup includes choosing tenant type, redirect URIs, secret creation.
  • Confidential clients require secrets; public clients do not.
  • Demonstrated token retrieval, decoding, and API call with bearer token.

• Best Practices & Real-World Scenarios

  • Prefer multiple app registrations for multi-customer environments to limit blast radius of leaks.
  • Use dynamic scopes for minimal necessary permissions.
  • Automate app registration and secret management when possible.
  • Leverage MSAL and libraries to abstract OAuth complexity.

• Challenges and Considerations

  • Managing token expiration and refresh in background jobs.
  • Handling multi-tenant app permissions and service principal creation.
  • Balancing ease of use with strong security controls.