OAuth 2.0 Service-to-Service

Endpoint management authentications allow setting up a Service-to-Service (sometimes referred to as S2S or Server-to-Server) authorization.

There are three fundamental steps in an S2S configuration:

  1. Configuring an App registration in Azure Active Directory
  2. Adding the application in your ERP or CRM
  3. Adding a corresponding authentication in Dynamicweb

To add an app registration go to https://portal.azure.com/ > App registrations > New registration, choose single tenant application acces and give your application a suitable name.

Next, copy the Application (client) ID and the Directory (Tenant) ID from the App overview screen and go to Certificates & secrets to add a new Client secret. Make sure to copy the value of the client secret once it is added, since this will be hidden henceforth.

Go to Authentication and a new web platform. Add the URL of your Dynamicweb solution to the list of redirect URIs.

For S2S authorization to a Business Central client, you should also add the URL https://businesscentral.dynamics.com/OAuthLanding.htm for cloud hosted Business Central instance, or you are using an on-prem version, the URL of your Business Central browser client, followed by /oauthlanding.htm - for example: https://MyServer/BC200/OAuthLanding.htm 

Finally, go to API permissions and add a new permission for the application (Dynamics 365 Business Central/Dynamics ERP/Dynamics CRM). The type of permission should be set to Application permission. Select the appropriate permissions from the available options. The required permission is most likely API.ReadWrite.All but please refer to the official Azure Active Directory API permission documentation to learn more.

Check out this Microsoft learn article more information on Azure app registrations.

To add your new application to your cloud hosted Business Central instance, open BC and search for Azure Active Directory Applications.

Click new, paste the Client ID of your application and change the state to enabled. Please notice that your Business Central user needs SECURITY persmission to change states of Azure AD apps. 

To use the S2S authentication with a Dynamicweb Plug-in unit a few configurations to the Azure AD application must be made inside Business Central.

  • Select the Dynamicweb Plug-In Unit from the list of installed extensions, by clicking the App ID field under general settings. 
  • Add the D365 BUS FULL ACCESS permission to the application cards User Permission Sets
  • To integrate with a Plug-in unit with custom fields, you also need to add the dedicated DYNAMICWEBPERMISSION included in Business Central plug-in unit version 1.2.0.29

Adding the application to an on-prem Business Central instance is achieved through a CMD with admin rights by following steps 3 and 4 in this Microsoft Learn article. 

 

Figure 3.1 The application card general settings in Business Centralq

The official details on the using S2S with Business Central can be found here.

Figure 3.2 The list of extensions

To add your Azure AD application in Finance & Operations, search for Azure Active Directory Applications, click new, add the Client ID of your application, a suitable name and select a user (you can select the ADMIN user or any available user with the required permissions).

To add your Azure AD application to your CRM instance, go to the Power Platform Admin Center, select your enviroment and open S2S apps.

Add a new app user, and select your Azure AD application from the list of available apps.

In Dynamicweb, go to Settings > Integration > Endpoint Management and click Add authentication.

Give your authentication a suitable name and select OAuth 2.0 - Service-to-Service as type.

Paste the Tenant ID, Client ID and Client Secret from your Azure AD application and save. 

If connecting to an on-premice solution, write the appropriate for either BC, F&O or CRM as stated in the hint text.

Unlike the OAuth 2.0 - User impersonation flow, the S2S authentication does not prompt the user for log in, in order to obain an acces token. Instead the token is exchanged between Dynamicweb and the remote system as a background service, sometimes refered to as a daemon. 

When the S2S application has been registered in Azure Active Directory portal and has been added to your on-prem Business Central solution, you can utilize the authentication from within your Dynamicweb connector service (version 2.2.0 or later) by setting the config like in the example below:

XML
<NavConnector> <add key="NavEndpoint" value="https://d365bcsandbox2:7047/BC/WS/CRONUS%20Nederland%20BV/Codeunit/DWWebService" /> <!-- SET CREDENTIAL TYPE TO S2S HERE --> <add key="ClientCredentialType" value="S2S" /> <!-- Options for Not OAuth mode --> <add key="UserName" value="" /> <add key="Password" value="" /> <add key="Domain" value="" /> <!-- Set IgnoreCertificateWarnings to true for https endpoints using self-signed or untrusted certificates. Useful for testing. Should be avoided in production. --> <add key="IgnoreCertificateWarnings" value="True" /> <!-- PROVIDE YOUR OAUTH S2S CREDENTIALS HERE --> <add key="TenantId" value="7dd45d63-24fc-4edd-8ad8-5fd66b6f9733" /> <add key="ClientId" value="6945a908-9a4b-44fa-9ced-6fa84bd4a866" /> <add key="ClientSecret" value="pHm8Qkfc9bBLQVbZu" /> <add key="EnableOAuthLog" value="false" /> </NavConnector>