I'm new to the Azure AD login method, so I'm a bit confused to the advantage of using this on our Outsystems web apps. Our laptop computers are not using an Office 365 account on the windows login (we are using local accounts). This means we can't use any "Integrated Authentication" from Windows to the web apps. So, this always forces the users to have to login with their Office 365 email and password when we first need to access some resource of the Office 365 suite.I understand that once the first login is made, we don't need to login again in any of the Office 365 apps, but my question is: how does the Outsystems environment "know" who I am, when I first enter the login screen for my web apps ?
Well....no :-)
The correct statement would be that a user is Authorized to the Microsoft Outlook application and Authenticated with Microsoft Identity (your Azure AD tenant).
Now that users opens a new tab and an OutSystems application. OutSystems recognizes that this user has not logged in yet and throws a security exception. In the security exception handler the user gets redirected to Microsoft Identity.
Now: If the user is already authenticated with your Tenant represented by the client_id parameter of the redirect response than the code to retrieve the access token is immediatly returned to the OutSystems application. If the user is not yet authenticated with Microsoft Identity for your tenant the browser display the regular Microsoft Login box where the user enters the mailaddress and password.
The redirect Url is a constructed url (the Microsoft Login Connector does all that for you) including a client_id, a redirect_uri, scopes and state. You can read more about the flow here https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type and you will find links to more resources in my articles above.
Stefan
Hi @Goncalo Almeida ,
Whenever you are using Azure AD login in, there are some steps that you have to follow for authentication. Firstly you have to set up your OutSystems application in the Azure portal and then it will provide you with some important information like client id, client security, etc. And that information is used for authentication of the application you created in OutSystems. For more understanding you can also prefer these below article links for understanding the steps.
I hope it will you to solve you question.
Thanks,
Rakhi
Thank you for mentioning my articles @Accelance Partners Rakhi.
Hi @Goncalo Almeida,
the advantages you get from an OAuth flow depends on the use cases you have. Typically the primary use case for authenticating with Azure AD - besides authentication itself - is that you can interact with Microsoft Graph API. In addition, depending on your environment, you get additional features like Multifactor-Authentication, Conditional access and many other things as part of the MIcrosoft Identity Ecosystem. Potentially you could build all of that on your own, but with Azure AD it is more or less built in :-)
The Microsoft Login Connector which is used in the first article lets your users authenticate agaings their Microsoft Account. Azure AD, or better Microsoft Identity returns a code back to your application (the Login Connector) and the Login Connector retrieves and stores the access token of that particular user. In addition the Login Connector checks if for the returned token (which is a JWT) maps to an already existing user entry in your Users database. If so the system action User_Login is performed for that particular user logging the user in. If not user entry exists the user is created first and then logged in.
So OutSystems "knows" the user by identifiying it from the subject claim of the JWT token received from Azure AD. This is all done by the MIcrosoft Login Connector forge component.
You do not need to login to Windows with your Azure AD account for automatically sign-in to pages. You can - any time - link an account to the Accounts tab in Windows Settings. But, saying that you only need to login once is only partially true. This depends on the settings of your Azure AD application registration.
Best
Hi Stefan,
I've read the articles, but this is still very new so I'm finding it hard to understand it all. I'll have to read multiple times to get it ;)
I only have 1 use case: I need to know whether the user is already logged in a Microsoft Account or not. If he is, I need to know his email and if he's not I'll have to redirect him to the Microsoft login page and then get his email.
Hi Goncalo,
yes the topic of OAuth and Identity Provider can be a little bit overwhelming at first and it takes some time and lots of documentation to read to fully understand it.
What you say is actually pretty easy to achive. Once you set up your login flow using the Microsoft Reactive Login Connector you should be able to authenticate with your Azure AD Tenant and thus be able to login to any application in your OutSystems environment.
The Login Connector automatically creates a new user record including the email address in the Users table.
Actually there is no way for you to "know" if a particular user is already authenticated with your Azure AD. You simply tell your application to redirect to Microsoft Identity every time a user is not logged into OutSystems. This is done in the SecurityException Handler of your applications.
After successful authentication your application retrieves a code from Microsoft Identity and requests a Token from the token endpoint of Microsoft Identity. That token includes so called claims which are used to check if an OutSystems user already exists or not.
So to sum up. In OutSystems applications you always use the Users entity.
I got you.
So just 1 more scenario for you: imagine that the user has already logged in with his microsoft account on the browser (let's imagine he wanted to check his emails online and didn't have the Outlook client installed). Now he opens up another tab and wants to login on some Outsystems application. We should be able to call some Microsoft Identity endpoint to get the user email he's logged into on that browser session, correct or incorrect?Is correct, which endpoint would that be?
Thank you for clarifying.
regards