Configure OAuth for Shop Floor Insight 7.8

You are here:

This article is dated as Microsoft changes support for OAuth with the device license model. When this article was written (May 2021), the only service to service OAuth authentication method supported is OAuth impersonation. OAuth is only available for BC SaaS. New settings are available in the IW.TimeCollectionModule.Service.exe.config binary patch for Shop Floor Insight.

Configure OAuth for Shop Floor Insight 7.8

  1. Set clientCredentialType to None using OAuth impersonation mode.
  2. Set DynamicsNavWebServiceAuthenticationMode to OAuthImpersonate.
  3. Set AlwaysSendCredentials to true.
  4. Add a new setting for OAuthTenant with the BC SaaS tenant GUID as the value.
  5. Configure the Windows Credential manager the same as the windows service user (configuration differences in the following steps).
  6. Use the full username for the BC SaaS account (in the Users table in the Authentication Email column in Business Central).
  7. Use the full password for the BC SaaS account.

Example:

Note: The AuthenticationModeGenericCredentialVaultTarget does not have to be called SFIOAUTHIMPERSONATE. The value in the configuration file must match what you have created in the credential manager:

Authorize the application

Note: This requires an Azure account with permission to delegate.

The following steps may need to be done by the reseller or customer IT group with appropriate Azure administrative access. The administrator for that tenant must allow access for the account the service is using to access Business Central.

  1. Ensure your account has core permission and have the tenant administrator select the Grant Consent button (popups must be enabled).
  2. Follow the prompts and ensure to log in with an account with permission to grant consent.
  3. Review the list and select Accept.
Note: This should only happen once per install if your remote access account does not have authorization permission.
  1. Set User Permission Sets (optional):
    1. Navigate to Azure Active Directory Applications in Business Central.
    2. Create a new Client ID of 66d9a62b-ddb9-4855-9ed3-361a0515ed2e if not already done.
    3. Enter applicable description if needed.
    4. Set state to Enabled.
    5. Ensure you have set sufficient permissions in User Permission Sets (e.g., for using jobs, give permissions for jobs; for fixed assets, give permissions for fixed assets; for production orders, give permissions for what they plan on using with production orders).

Application settings summary

Note: Only modify the OAuthTenant setting for each install. All other settings listed should not be modified nor added to the configuration file unless necessary and by someone with the appropriate level of knowledge.
Setting Name Description When to Change Update Frequency
OAuthTenant The Business Central tenant ID to use for OAuth validation.

You must set this for any BC SaaS application that is using OAuth authentication.

Every BC SaaS install using OAuth authentication. Frequently; whenever OAuth is used for BC SaaS.
OAuthClientID Holds the Azure application client ID for the Shop Floor Insight app. Default value is 66d9a62b-ddb9-4855-9ed3-361a0515ed2e This should not need to change for any BC SaaS application.

In rare circumstances, if:

  • a different Azure client ID is used
  • the client ID ever changes
  • using OAuth with a different application client ID for some on-premise scenarios.
Rare.
OAuthClientSecret Holds a secret value that works with the OAuthClientID.
Default is blank; the real value is in code.
This should not need to change for any BC SaaS application.

Every few years the client secret expires. Upgrades may have to change this eventually if their service was never updated.

Rare.
OAuthScopeUserImpersonation Only applies when using the OAuth impersonation mode.
This is the scope that is used to request API access.
Default value is:
offline_access https://api.businesscentral.dynamics.com/user_impersonation
This should not need to change for any BC SaaS application. Rare.
OAuthUserImpersonationRedirectURL Default value is:
https://login.microsoftonline.com/common/oauth/nativeclient
This should not need to change for any BC SaaS application. Rare.
OAuthTokenURL The URL used to get an OAuth token.

Default value:
https://login.microsoftonline.com/{0}/oauth2/v2.0/token

This should not need to change for any BC SaaS application.

This could change for any on-premise BC that also is using OAuth but not Microsoft’s OAuth system.

Rare.
OAuthDeviceURL The URL to get a device token when using OAuth device token authentication.

Default value:
https://login.microsoftonline.com/common/oauth2/devicecode

This should not need to change for any BC SaaS application.

This could change for any on-premise BC that also is using OAuth but not Microsoft’s OAuth system.

Rare.
OAuthScopeDevice The OAuth scope string to use when requesting a device token.

Default value:
offline_access https://api.businesscentral.dynamics.com/.default

This should not need to change for any BC SaaS application. Rare.
OAuthDeviceResource The OAuth resource request when using device authentication mode.
Default value:
https://api.businesscentral.dynamics.com
This should not need to change for any BC SaaS application. Rare.
OAuthDevicePollIntervalSeconds When using device token OAuth authentication, how long to wait in between polls of a thread while waiting for a device token to be validated.
Default value is 10.
This should not need to change for any BC SaaS application. Rare.
OAuthDevicePollMaxAttemptsPerThread When using device token OAuth authentication, how many attempts to try before waiting.
Default value is 20.
This should not need to change for any BC SaaS application. Rare.
OAuthRefreshTokenTimerSeconds Default value is 10.
OAuthRefreshTokenTriggerThresholdMinutes Default value is 5. Only if the network from the client network to the outside world has extremely slow internet, this causes the refresh token to be exchanged for a new access token earlier than it needs to be.
A minimum value of 1 should be used.
Rare.
Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Need help?

Leave A Comment

Go to Top