-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #127 from Gamp0vskyj/TokenBrokerUpdate
Token broker update
- Loading branch information
Showing
2 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
108 changes: 108 additions & 0 deletions
108
src/en/customizer-guide/required-application-consent.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
|
||
# Applications | ||
|
||
| Name | Consent Link | Owner | Client ID | | ||
| - | - | - | - | | ||
| [TALXIS Deployments](#talxis-deployments) | [LINK](https://talxis.com/add-deployment-app) | INT0006 | 4ab337b1-27bc-421d-8d56-7462bbea9831 | ||
| [TALXIS Data Feed](#talxis-data-feed) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=e8af2b8e-a8de-4669-8d94-6b684068beef) | INT0010 | e8af2b8e-a8de-4669-8d94-6b684068beef | ||
| [TALXIS Data Feed - Flow](#talxis-data-feed---flow) | [LINK](https://talxis.com/add-connectors-app) | INT0010 | 28d529aa-b85e-4469-9cf3-937bea582555 | ||
| [TALXIS - PCF.MapPicker](#talxis---pcfmappicker) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=1dc2b128-6003-42b6-a989-d78d6c0d0a5c) | INT0015 | 1dc2b128-6003-42b6-a989-d78d6c0d0a5c | ||
| [TALXIS - PCF.FilePicker](#talxis---pcffilepicker) | [LINK](https://talxis.com/add-dms-app) | INT0015 | 1fd1cbbe-eefe-4583-b422-4a7661cf5c60 | ||
| [TALXIS - PCF.FilePicker - Group Creation](#talxis---pcffilepicker---group-creation) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=6fc7f36a-b972-45c9-8516-06c0600b4183) | INT0015 | 6fc7f36a-b972-45c9-8516-06c0600b4183 | ||
| [TALXIS - PCF.FilePicker - Advanced Permissions](#talxis---pcffilepicker---advanced-permissions) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=a6631d2e-c9f0-4327-ba73-5fc8cb87a037) | INT0015 | 6fc7f36a-b972-45c9-8516-06c0600b4183 | ||
| [TALXIS - PCF.CompanyProfileHinting](#talxis---pcfcompanyprofilehinting) | [LINK](https://talxis.com/add-controls-app) | INT0015 | b8becf32-7f36-4d2f-bbdc-456c6e910405 | ||
| [TALXIS - PCF.AddressPicker](#talxis---pcfaddresspicker) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=7941f3c9-f4db-441d-9fce-7b3eb7a2ef10) | INT0015 | 7941f3c9-f4db-441d-9fce-7b3eb7a2ef10 | ||
| [TALXIS - Client](#talxis---client) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=526f3cf8-fd5c-4648-87f6-b0e4b986acdb) | INT0015 | 526f3cf8-fd5c-4648-87f6-b0e4b986acdb | ||
| [TALXIS - PCF.PeopleGrid](#talxis---pcfpeoplegrid) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=7facec0a-d26e-4f71-a213-38b317b4dfe0) | INT0015, PCT21016 | 7facec0a-d26e-4f71-a213-38b317b4dfe0 | ||
|
||
# Why | ||
Until now we have been using standalone authentication per [PFC](https://netwiseglobal.com/blog/2024/03/15/what_are_pcf_components_and_how_do_they_help_users_and_developers/) control. | ||
|
||
The issue is, that when [3rd party cookies are blocked in the browser](https://cookie-script.com/all-you-need-to-know-about-third-party-cookies.html) (Safari by default, you can enable this behavior in other browsers as well). This effectively breaks any silent [SSO](https://gatekeeperhelp.zendesk.com/hc/en-us/articles/1500003649281-What-is-Silent-Authentication) method in OpenID Connect (via MSAL.js for example) which uses iframe behind the scenes to obtain the token, and you will end up with [AADSTS50058](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4782) error. | ||
This issue is not just Microsoft auth stack related, but is also faced by other including [Salesforce](https://help.salesforce.com/s/articleView?id=sf.external_identity_login_considerations.htm&type=5) and Microsoft Dynamics. More perspective on this issue from AAD [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas). | ||
|
||
# Broker model | ||
We are now using a "broker model" for authentication, to streamline the token management. Simply a hidden global ribbon button with a script which handles the token management providing a single authorization experience for all PCFs and scripts, while also preventing multiple popups. It then utilizes our Token Service with [On-Behalf-Of (OBO)](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow) flow to exchange tokens. | ||
|
||
# Details | ||
Preview of permissions could be found [here](https://learn.microsoft.com/en-us/graph/permissions-reference). | ||
## TALXIS Deployments | ||
|
||
Used for deployments of applications to Power Platform environment. Application can only write to environments where permissions have been [explicitly granted to the service principal](https://learn.microsoft.com/en-us/power-platform/admin/manage-application-users). The principal is non-interactive. | ||
|
||
### Permissions (delegated) | ||
* Access Common Data Service (Dataverse) as organization user | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS Data Feed | ||
|
||
Used as a resource to verify TALXIS Data Feed access. Doesn't need to be explicitly consented. | ||
|
||
## TALXIS Data Feed - Flow | ||
|
||
Enables use of TALXIS Data Feed API from Power Automate. | ||
|
||
### Permissions (delegated) | ||
* Access Data Feed as Current User | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS - PCF.MapPicker | ||
|
||
Map control used in TALXIS applications. | ||
|
||
### Permissions (delegated) | ||
* Access Data Feed as Current User | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS - PCF.FilePicker | ||
|
||
Custom control that allows users to work with SharePoint or Dataverse documents easily and directly from TALXIS applications. Optionally complemented with [TALXIS - PCF.FilePicker - Group Creation](#talxis---pcffilepicker---group-creation) application. | ||
|
||
### Permissions (delegated) | ||
* Read items in all site collections | ||
* Have full access to all files user can access | ||
* Have full access to user files | ||
* Read all groups | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS - PCF.FilePicker - Group Creation | ||
|
||
Optional app registration if you want the File Picker PCF to allow for group creation via UI. Primarily used in the previous version of File Picker. | ||
|
||
### Permissions (delegated) | ||
* Read and write all groups | ||
* Read and write group memberships | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS - PCF.FilePicker - Advanced Permissions | ||
|
||
TBD | ||
|
||
## TALXIS - PCF.CompanyProfileHinting | ||
|
||
Company autosuggest control used in TALXIS applications. | ||
|
||
### Permissions (delegated) | ||
* Access Data Feed as Current User | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS - PCF.AddressPicker | ||
|
||
Address autosuggest control used in TALXIS applications. | ||
|
||
### Permissions (delegated) | ||
* Access Data Feed as Current User | ||
* Sign in and read signed in user profile | ||
|
||
## TALXIS - Client | ||
|
||
Used in an [authentication broker (internal)](https://dev.azure.com/thenetworg/INT0015/_wiki/wikis/INT0015.wiki/4301/Authentication-Flow?anchor=authentication-broker) scenario, where a token is required from PCF or custom code. It prevents users from getting multiple authentication popups due to 3rd party cookie restrictions. | ||
|
||
## TALXIS - PCF.PeopleGrid | ||
|
||
* INT0015 - PoepleGrid connects accounts with contacts and allows tracking of additional metadata such as contact's function withing specified account from Data Feed. | ||
* PCT21016 - PoepleGrid connects accounts with contacts and allows tracking of extensive amount of metadata from Data Feed. | ||
|
||
### Permissions (delegated) | ||
* Access Data Feed as Current User | ||
* Sign in and read signed in user profile |