Office 365 Authentication using GAM

Official Content
This documentation is valid for:

Since the introduction of OAuth 2.0 Authentication in GeneXus Access Manager, it is possible to authenticate to a broader set of providers. This article explains what to do in GAM backend, to authenticate to Office 365. For more information on how to configure Azure, see Application Registration in Azure Active Directory.

Authentication Type

Add a new OAuth 2.0 authentication type in the GAM Web Backoffice and set the associated basic parameters:

  • Name (you will use this name later in the code to log in)
  • Function (Only Authentication is supported)
  • Enabled (Yes|No)
  • Description: friendly description
  • Small image name
  • Big image name
  • Impersonate

You need to fill in detailed information in the following tabs:

  • General: to identify the OAuth 2.0 application.
  • Authorization: headers associated with the authorization request and response.
  • Token: service URL to handle token information.
  • User Information: service URL to handle user data.

General

Enter Cliend Id, Client Secret and Redirect URL. Notice the URL is the base URL for your application.

  • Client Id
    • Tag: client_id, Value: <your value here>
  • Client Secret
    • Tag: client_secret, Value: <your value here>
  • Redirect URL
    • Tag: redirect_uri, Value: <your application URL>

Authorization

Set the following parameters:

  • URL: https://login.windows.net/common/oauth2/authorize
  • ResponseType: enabled
    • Tag: response_type, Value: code
  • Scope: enabled
    • Tag: scope, Value: https://graph.microsoft.com/user.read
  • State: enabled
    • Tag: state
  • Include Client Id: enabled
  • Include Redirect URL: enabled

Response

  • Access Code Tag: code
  • Error Descriprion Tag: error_description

Token

  • URL: https://login.windows.net/common/oauth2/token
  • Token Method: POST
  • Header
    • Tag: Content-type, Value: application/x-www-form-urlencoded
  • Grant Type: enabled
    • Tag: grant_type, Value: authorization_code
  • Include Access Code: enabled
  • Include Client Id: enabled
  • Include Client Secret: enabled
  • Include Redirect URL: enabled
  • Additional Parameters: resource=https://graph.windows.com

Response

  • Access Token Tag: access_token
  • Token Type Tag: token_type
  • Expires In Tag: expires_in
  • Scope Tag: scope
  • Error Descriprion Tag: error

User Information

  • URL: https://graph.microsoft.com/v1.0/me
  • User Info Method: GET
  • Header
    • Tag: Content-type, Value: application/json;charset=utf-8
  • Include Access Token: disabled
    • Tag: access_token
  • Include Client Id: disabled
    • Tag: client_id
  • Include Client Secret: disabled
    • Tag: client_secret

Response

  • User Email Tag: mail
  • User External Id Tag: id
  • User Name Tag: userPrincipalName
  • User First Name
    • Tag: givenName, Generate automatic Last Name: False
  • User Last Name
    • Tag: surname
  • User Language Tag: preferredLanguage
  • Error Description Tag: error_description

How to use it from the code

Use the LoginOauth20 method from the GAM Repository external object detailing your OAuth 2.0 configuration name. For example if you set 'Office365' for the previous configuration:

Event 'Login'
  GAMRepository.LoginOauth20(!"Office365") // Authentication Type Name must match the backend definition
EndEvent

Logout

If you want to force a logout from the Identity provider you will need to invoke the following URL with your desired callback url 

https://login.windows.net/common/oauth2/logout?post_logout_redirect_uri=<my_callback_URL>

Troubleshooting

In case of any error enable the GAM trace to get more information on the error.

AADSTS90002

AADSTS90002: Tenant organizations not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.

Check your Azure server-side configuration as it seems the URL configured in GAM are wrong.

AADSTS50011

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'GUID'.

Verify your Endpoint URLs are correctly configured and match the location of your GAM application. Go to the Azure portal \ Azure Active Directory application; select your application and check the associated endpoints.

image_2019118153821_1_png

AADSTS70001

AADSTS70001: Application 'GUID' is disabled.

Check your Azure application is correctly configured.

AADSTS70002

AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided

Review the password settings on the Azure application configuration site and update your GAM configuration.

AADSTS50020

Message: AADSTS50020: We are unable to issue tokens from this api version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.

Review the following Azure registered Application endpoint and the associated configuration within GAM.

  • Oauth 2.0 token endpoint
  • Oauth 2.0 authorization endpoint

Considerations

Oauth 2.0 authentication is available in GeneXus Access Manager since GeneXus 15 Upgrade 11.

See Also

Application Registration in Azure Active Directory