Purpose:
This module provides the reactive web blocks to build a login workflow that uses Microsoft services to authenticate the user and grant roles.
Components:
Install this package with the demo in order to receive a UI starter kit which includes a management UI and a reactive callback screen you can copy into another application to handle callbacks.
When you download the component and the demo, you will install two apps:
The first contains all the logic required to implement authorization code flows. The second contains an administrative tool and a screen you should copy into another application to handle callbacks from Azure AD.
What is the Azure AD Login Connector?
All Microsoft Cloud Services including Office 365, Dynamics 365, Sharepoint among others, are protected by an OAuth authentication from Azure Active Directory. Azure AD is the identity provider, responsible for verifying the identity of users and applications that exist in an organization’s directory, and ultimately issuing security tokens upon successful authentication of those users and applications. Each external application needs to be register on Azure AD to be request an OAuth access token that will be included on each REST API request. This connector tries to abstract the complexity of the OAuth authentication needed in the authorization process to all other REST APIs from Microsoft.
Configuration
To make use of the AALC you need to perform a few steps in Azure and in the AALC Management application. When this is done you can then add authentication to your application.
The steps, in order, are;
Registering Connector Application on Azure
To register your application, open up your azure portal at https://portal.azure.com. If you have an office 365 package you can login to azure using your office 365 admin credentials. In the search bar at the top of the screen type in 'App Registration' and navigate to the service. You should see the below screen:
Click on "New registration"
Fill in the information specified in the above screenshot and click "Register."
The above screen will be displayed. On this screen you can find your Application (client) ID and your Directory (tenant) ID. You will need this information later to configure OAuth in your application. You can find both values under the Essentials header.
Also in the above screenshot, you will see a menu link highlighted in red. Click on Certificates & secrets to generate a client secret. You will also need this to configure your application later.
Click on New client secret to generate a new client secret to be used by your application.
A new window will appear as in the above screenshot. Give your client secret a name and your desired expiration time.
In the ensuing screen, you will see your newly generated client secret. Make sure to copy the value somewhere secure immediately as it will no longer be available once you leave this screen.
Once you are done, you are done registering your application for a simple authorization code flow! The next step is to configure the application in the management app.
Adding the Azure AD application to the AALC Configuration:
The first step you need to do if give yourself the OauthAdministrator role of the Azure AD Login Connector Management application. You can do this via the OutSystems users application.
When this done you can log into the application. You should see the following screen:
Follow these steps to add the Azure AD application created in the first step:
Open the configuration back up by clicking on the description. Navigate to the Espaces tab in the window that opens:
In here you will need to attach the UI module of the espace you want to secure using OAuth. You can search and select which one you want in the dropdown:
Once your Espace is attached, you have minimally configured the application to support a basic authorization code flow! Now we can move on to actually implementing authorization in our application.
Configuring authentication in Reactive application:
To configure your Reactive application to make very basic use of the AALC component:
This should provide your application with a very basic authorization code flow!
Azure AD Managing OutSystems Roles
If you are looking to AD to manage the roles synchronizing them to your OutSystems instance, then this article explains how to setup the roles on the Azure AD side.
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles
Solution: 404, page not found with the CallbackPage
This error occurs when the URL length is limited on your platform or in IIS. For this reason, this component will not work in personal environments. However, in enterprise environments you can use the following steps to increase this maximum length:
<?xml version="1.0" encoding="UTF-8"?><xsl:stylesheet version="1.0"xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="xml" indent="yes" encoding="UTF-8"/><xsl:template match="@*|node()"><xsl:copy><xsl:apply-templates select="@*|node()"/></xsl:copy></xsl:template><xsl:template match="/configuration/system.webServer/security/requestFiltering"><xsl:copy><xsl:apply-templates select="@*|node()"/><requestLimits maxUrl="4096" maxQueryString="2048"/></xsl:copy></xsl:template></xsl:stylesheet>
Apply the configuration to all espaces that contain your callback screens or just to all espaces in your environment. You will need to do this in all your environments.
<?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="xml" indent="yes" encoding="UTF-8"/> <xsl:template match="@*|node()"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:template> <xsl:template match="/configuration/system.webServer/security/requestFiltering"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> <requestLimits maxUrl="4096" maxQueryString="2048"/> </xsl:copy> </xsl:template> </xsl:stylesheet>