Does anyone have any recent experience connecting Xojo apps to Microsoft Entra ID for SSO authentication? Thanks for any pointers!
I do this with Web Apps for the company that I work for. There are several steps that you will need do to make it work. It you are building web apps, let me know and maybe I can help.
I am working with Entra Application Client ID en Client Secret to connect with Business Central through OAuth2 from a Xojo Web App. This is the Client Credential Flow and more suitable for Service to Service communications: OAuth 2.0 client credentials flow on the Microsoft identity platform - Microsoft identity platform | Microsoft Learn
@Gary_Smith and @Jacco_Slok I appreciate the responses! I started down the path of reading the Azure and Entra MS docs and got overwhelmed with options and unclear on what direction to take. I’m going to look at your posted link (thank you for that!).
Hi Jacco. This looks like a direction for granting apps access to behind-the-scenes authentication where headless services are needing to access on another. Will this link also lead to finding out how to use a ‘login’ page in a Xojo Web App to let a user gain access via SSO and Entra ID?
Hi William, that’s correct, this is for headless communications.
I think you should look into Microsoft Authentication Library (MSAL) and Microsoft Graph: Overview of the Microsoft Authentication Library (MSAL) - Microsoft identity platform | Microsoft Learn, hope this helps you in the right direction.
Hi Gary,
I’m trying to get figured out a SSO authentication for a web app I need to work (AD/Microsoft Entra). Do you have or have you seen posted any sample code to do this? The need being a typical username/password entry by the user in an internally used application.
The first thing that you will need to do is register your webapp in Entra. Be sure to add the 2 urls, one for debuging will be localhost:yourdebugport and the other will be your real www.yourdomain.com site. Grab your tenant id and your client id and paste then in this code.
Put this code in the session opening event. You will also need to add Json Webtoken class or JWT. This is just for testing your login only. There are better ways to verify the token.
var id_token as string
var args(3) as string
var thepage as string
var myemail as string
if session.hashtag <> "" then //we got a hashtag so parse the token
args() = session.hashtag.Split("&")
try
id_token = args(1)
id_token = id_token.Left(8)
catch e as OutOfBoundsException
session.quit
catch noe as NilObjectException
session.quit
end try
if id_token = "id_token" then //decode the string
id_token = args(1).Replace("id_token=", "")
JWT = CommonMethods.JSONWebToken_MTC.Decode(id_token)
myemail = JWT.Email
thepage = "startpage"
else
session.quit
end if
if thepage = "startpage" then
startpage.show
end if
else
//Do Microsoft Login
var redir as string
#if DebugBuild then
redir = "http%3A%2F%2Flocalhost%3A64418"
#else
redir = "https%3A%2F%2Fwww.yourgreatwebsite.com"
#endif
var urls as string
urls = "https://login.microsoftonline.com/your-secret-tennant-id/oauth2/v2.0/authorize?" _
+ "client_id=your-secret-client-id" _
+ "&response_type=code%20id_token" _
+ "&redirect_uri=" + redir _
+ "&response_mode=fragment" _
+ "&scope=offline_access%20openid%20profile%20email" _
+ "&state=123456789" _
+ "&nonce=abcde" _
+ "&code_challenge=" + Challenge(CodeVerifier) _
+ "&code_challenge_method=S256"
GotoURL(urls)
end if
Exception
var d as datetime = datetime.now
var sh as new shell
sh.Execute("echo Something really bad happened in the Session Opening " + d.sqldatetime + " >> c://programdata/logistics/log.txt")
sh.Close
I would love to get a more complete tutorial on this topic, I have use cases that sounds similar to Rodd’s, and I’d like to replace those with a simple Entra SSO. All I would need to get from Entra is the signed-in user’s email and I can match that to the user account in the database.