Setting up OAuth 2.0 authentication for Business Central endpoints

OData integration with Business Central requires authentication with OAuth 2.0. This guide will you take you through the necessary steps in establishing this authentication.  

To add a registration, launch the Azure Active Directory (AD), go to "App registrations" and click "New registration". 

In here, copy the "Application (client) ID" and the "Directory (tenant) ID" . The ID's will be used later in the setup process.

Go to API permissions and click "add permission". Select the "Dynamics 365 Business Central" API, choose "Delegated permissions".

Select "user_impersonation" in the checkbox marked on the screenshot and finish by clicking "Add permission" in the bottom left corner.

Next, go to "Certificates & secrets" to add a client secret. 

Make sure to copy the value (not to be confused with the ID) as it will never be shown again and is needed later in the process.

Next, add a redirect URI in Manage > Authentication > Add a platform and choose "Web". Azure will then ask you to enter the redirect URI of the application.

The redirect URI needs to be in the following format with your host website in the URI instead of "yourwebsite.com".


https://yourwebsite.com/Admin/Public/Module/EndpointManagement/EndpointAuthorization.aspx

Please notice that the HTTPS protocol is required for redirect URI's in Azure AD.

The redirect can also be a localhost app though, as shown in the picture below.


 

After the app registration, API permission and client secret has been added in Azure AD, we must setup the authentication in Dynamicweb.

To do so, go to Settings > Integration > Endpoint Management and click "Add authentication". 

Fill in the fields with the copied values from Azure AD and make sure the type is set to OAuth2.

 

Clicking "Save" will redirect you to the Business Central login page, where you must enter your credentials.

In some cases, the browser might block the pop-up with the Business Central login page. Make sure to allow pop-ups from Dynamicweb if that is the case.

A successful login will redirect you back to the "Edit Authentication" page in Dynamicweb where an "Access token received" prompt should be shown as depicted below. The "Access Token" field should now also show a string.

Clicking "Save and close" should now enable you to interact with Business Central endpoints using the established OAuth 2.0 authentication. 

Once the access token expires the OAuth 2.0 library will make a silent token refresh request so it can be optained without a login. 

In the case that you want to obtain an access token but do not have the credentials for the Business Central enviroment, you can use the Authorization URL  depicted below.

When an authentication method provided with a the necessary fields is saved, a new field with an Authorization URL appears. This URL can be sent to someone who has a Microsoft login for the Business Central enviroment, who can then authenticate on behalf of you to let you obtain the Access Token.

This essentially means that person A configuring the OAuth2.0 in Dynamicweb can have person B with credentials to Business Central authenticate on behalf of them through the Authorization URL.