I am trying to link to an Azure API using Active directory. Are there a set of steps somewhere for doing this?
I have tried the following:
In the datasource creation I have tried selecting REST but the Azure AD Authorisation button is not displayed under REST.
I have tried using oAuth as the Authorisation but after clicking the finish button nothing happens.
Any help would be appreciated.
Is this Azure API a custom one or some of the ones that Microsoft provides (SharePoint, Dynamics, MSGraph etc.)? We could try enabling Azure AD support for REST services but we would like to test with the API you are trying to use if at all possible.
Using OAuth won't work with Azure AD as it doesn't strictly follow the specification (there are some subtle differences).
Thanks for you reply, we dont have a specific API as we custom develop all our software on API's that run on Azure and I was hoping to use Radzen for doing future projects. What do you recommend we do?
Hi @petercummins,
We've enabled AzureAD authorization for pure REST data sources similar to OData data source and it will be available in our upcoming release (later today).
Is there a delay in the release?
No, Radzen 2.8.9 was released yesterday.
There seems to be an issue with getting the tokens correctly from AD.
We're set up using the Trusted Sub-system model, so the Client App Registration is trusted by the API App Registration.
When getting the token from AD, the app is getting into an endless loop with an IFrame (used to get API tokens\refresh tokens from AD?)
Indeed it looks as an endless loop. Is there any way for us to run that application locally in order to troubleshoot?
There is really nothing to the app at the moment; this issue came up as we were trying to connect to an existing API. The API is part of an existing system that we cannot share with you.
We could set up a hello world API but in the short term I can describe it's setup which may shed some light:
The API uses an Azure AD App Registration with normal grant flow (Client ID and Secret).
This client (and other clients) use a separate Azure AD App Registration, which in this case is set to use implicit grant flow (Client ID and Reply Urls).
The client App Registration is granted permissions to access the API (using the Required Permissions section in Azure AD). This is the trusted sub-system model I previously mentioned.
This is the point where we hit the infinite loop trying to authenticate.
What seems to also be missing is how to configure the fact that the we want to get a particular scope permission from AD (to call the API). So even if we did manage to authenticate, the token sent to the API would not be correct.
Just to try, we altered the API to allow Implicit Grant flow and altered the app configuration to match. The result was the same, an infinite loop with the IFrames.
You can add scopes from the data source configuration.
Probably the authorization token isn't valid for some reason - you can debut the generated code in the authorization service. Also have in mind that Radzen supports only the implicit grant flow of Azure AD.
