Forge Providers (OAuth 2.0) scope problem with MS graph & MS Dynamics that profile is required

BenjaminCJohn · March 10, 2023, 9:19am

Hello dev community ,

we are implementing a forge oauth2 provider against MS Dynamics CRM.

Sofar for it is possible to connect the forge provider with microsoftonline.com/.../oauth2/../token etc. and get the profile info .

BUT we need a scope to access the CRM and with this scope it’s not possible to obtain the profile from graph.microsoft.com or are we missing something here ?

Any hint would be great to point us in the right direction before we say, it’s not possible to do.
We can only get one scope (-> audience) but need two, so it’s not possible.

Thank you everybody and have a nice day out there

Ben

david · March 10, 2023, 11:18am

Hi @BenjaminCJohn

I’ve worked with the Microsoft Graph in the past and remember having to build an OAuth authorize URL like this:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize
    ?client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX
    &response_type=code
    &redirect_uri=https%3A%2F%example.ngrok.io%2Foauth2%2Fcallback
    &response_mode=query
    &scope=offline_access+openid+Sites.ReadWrite.All
    &prompt=consent

Note that with the MS Graph, you can just add the correct scope when you build the authorize URL.

So, back to MS Dynamics CRM…

From reading this:

I can see that the authorize URLis:

https://login.microsoftonline.com/your-tenaint-guid/oauth2/v2.0/authorize?
client_id=your_client_guid
&response_type=code
&redirect_uri=http://localhost:44306
&response_mode=query
&scope=https://your-instance.crm6.dynamics.com/user_impersonation
&state=12345

And the scope used in the example is https://your-instance.crm6.dynamics.com/user_impersonation. This will likely be different for every tenant (of Forge and MS Dynamics CRM).

I hope this helps.

David

BenjaminCJohn · March 10, 2023, 11:36am

Hi @david,
thank you for this detailed explanations.

All what you write is correct, but it does not help to solve the issue that I need to get a token thats let me access the graph api to get the user profile and then use this token to access MS Dynamics CRM. It looks like this is what the forge provider module does. I can either access MS Dynamics CRM OR MS Graph, but for the forge provider I need the Graph scope to get the profile and therefore can then not access the Dynamics CRM with that scope.

This is my problem, if this is doable with forge provider, maybe it is not.

Thank you in advance,
Ben

david · March 10, 2023, 12:27pm

@BenjaminCJohn yeah, sorry no help with Forge, but hopefully a little with MS Graph.

My guess is that you’ll need to roll your own auth and save to forge storage. You may even need Connect on Forge so that you can ensure ownership of the host for the redirect url