Implement authorization to support integration

  • 5 minutes

The Data management framework's package API uses OAuth 2.0 to authorize access. For you to use the API, it must be connected with a valid OAuth access token. For organizations that are doing an on-premises deployment, you will use Active Directory Federation Services (AD FS).

Microsoft Entra ID uses OAuth 2.0 to enable you to authorize access to web applications and web Application Programming Interfaces within your Microsoft Entra tenant. To begin, you must register the application with your Microsoft Entra tenant. This is done through the Microsoft Azure portal.

The following is an overview of the OAuth 2.0 authorization code request flow:

  1. The client directs the user to the /authorize endpoint.

  2. With this request, the client indicates the permissions that it needs to acquire from the user who is needing access. To get your OAuth 2.0 authorization endpoint for your tenant, you can go to App registrations > Endpoints in the Azure portal.

  3. In the native application, the user is directed to sign in and consent to permissions that are requested by the app. When the user authenticates and grants consent, Microsoft Entra ID will send a response to your application at the redirect_uri address in your request.

    // Line breaks for legibility only

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A12345
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345

    The two types of responses are:

    • Successful response - A successful response will grant access and include the admin consent, the authorization code that the application requested, a unique session value, and a state parameter.
    • Error response - An error response will not grant an authorization code. The error response includes the error code value, error description, and state value.

    With a successful response, an authorization code is granted and access is given to the user.

  4. The code can now be redeemed for an access token to the desired resource. This is accomplished by sending a POST request to the /token endpoint.

  5. Upon a successful response, Microsoft Entra ID returns an access token. The access token is a Json Web Token (JWT).

  6. When the access token is requested, Microsoft Entra ID returns metadata about the access token for the application's consumption. The client should cache access tokens for the specified token lifetime within the OAuth2 response. A web API might return an invalid_token response; this could be due to an expired token.

  7. When the access token is obtained, the token can be used in requests to web APIs.