Skip to content

Commit

Permalink
Merge pull request #127 from Gamp0vskyj/TokenBrokerUpdate
Browse files Browse the repository at this point in the history
Token broker update
  • Loading branch information
honzakostejn authored Oct 17, 2024
2 parents ca96001 + 5390f10 commit 4b62b73
Show file tree
Hide file tree
Showing 2 changed files with 109 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/.vuepress/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -701,6 +701,7 @@ module.exports = config({
collapsable: false,
children: [
['', 'Introduction'],
['required-application-consent', 'Required Application Consent'],
]
},
{
Expand Down
108 changes: 108 additions & 0 deletions src/en/customizer-guide/required-application-consent.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@

# Applications

| Name | Consent Link | Owner | Client ID |
| - | - | - | - |
| [TALXIS Deployments](#talxis-deployments) | [LINK](https://talxis.com/add-deployment-app) | INT0006 | 4ab337b1-27bc-421d-8d56-7462bbea9831
| [TALXIS Data Feed](#talxis-data-feed) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=e8af2b8e-a8de-4669-8d94-6b684068beef) | INT0010 | e8af2b8e-a8de-4669-8d94-6b684068beef
| [TALXIS Data Feed - Flow](#talxis-data-feed---flow) | [LINK](https://talxis.com/add-connectors-app) | INT0010 | 28d529aa-b85e-4469-9cf3-937bea582555
| [TALXIS - PCF.MapPicker](#talxis---pcfmappicker) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=1dc2b128-6003-42b6-a989-d78d6c0d0a5c) | INT0015 | 1dc2b128-6003-42b6-a989-d78d6c0d0a5c
| [TALXIS - PCF.FilePicker](#talxis---pcffilepicker) | [LINK](https://talxis.com/add-dms-app) | INT0015 | 1fd1cbbe-eefe-4583-b422-4a7661cf5c60
| [TALXIS - PCF.FilePicker - Group Creation](#talxis---pcffilepicker---group-creation) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=6fc7f36a-b972-45c9-8516-06c0600b4183) | INT0015 | 6fc7f36a-b972-45c9-8516-06c0600b4183
| [TALXIS - PCF.FilePicker - Advanced Permissions](#talxis---pcffilepicker---advanced-permissions) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=a6631d2e-c9f0-4327-ba73-5fc8cb87a037) | INT0015 | 6fc7f36a-b972-45c9-8516-06c0600b4183
| [TALXIS - PCF.CompanyProfileHinting](#talxis---pcfcompanyprofilehinting) | [LINK](https://talxis.com/add-controls-app) | INT0015 | b8becf32-7f36-4d2f-bbdc-456c6e910405
| [TALXIS - PCF.AddressPicker](#talxis---pcfaddresspicker) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=7941f3c9-f4db-441d-9fce-7b3eb7a2ef10) | INT0015 | 7941f3c9-f4db-441d-9fce-7b3eb7a2ef10
| [TALXIS - Client](#talxis---client) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=526f3cf8-fd5c-4648-87f6-b0e4b986acdb) | INT0015 | 526f3cf8-fd5c-4648-87f6-b0e4b986acdb
| [TALXIS - PCF.PeopleGrid](#talxis---pcfpeoplegrid) | [LINK](https://login.microsoftonline.com/common/adminconsent?client_id=7facec0a-d26e-4f71-a213-38b317b4dfe0) | INT0015, PCT21016 | 7facec0a-d26e-4f71-a213-38b317b4dfe0

# Why
Until now we have been using standalone authentication per [PFC](https://netwiseglobal.com/blog/2024/03/15/what_are_pcf_components_and_how_do_they_help_users_and_developers/) control.

The issue is, that when [3rd party cookies are blocked in the browser](https://cookie-script.com/all-you-need-to-know-about-third-party-cookies.html) (Safari by default, you can enable this behavior in other browsers as well). This effectively breaks any silent [SSO](https://gatekeeperhelp.zendesk.com/hc/en-us/articles/1500003649281-What-is-Silent-Authentication) method in OpenID Connect (via MSAL.js for example) which uses iframe behind the scenes to obtain the token, and you will end up with [AADSTS50058](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4782) error.
This issue is not just Microsoft auth stack related, but is also faced by other including [Salesforce](https://help.salesforce.com/s/articleView?id=sf.external_identity_login_considerations.htm&type=5) and Microsoft Dynamics. More perspective on this issue from AAD [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas).

# Broker model
We are now using a "broker model" for authentication, to streamline the token management. Simply a hidden global ribbon button with a script which handles the token management providing a single authorization experience for all PCFs and scripts, while also preventing multiple popups. It then utilizes our Token Service with [On-Behalf-Of (OBO)](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow) flow to exchange tokens.

# Details
Preview of permissions could be found [here](https://learn.microsoft.com/en-us/graph/permissions-reference).
## TALXIS Deployments

Used for deployments of applications to Power Platform environment. Application can only write to environments where permissions have been [explicitly granted to the service principal](https://learn.microsoft.com/en-us/power-platform/admin/manage-application-users). The principal is non-interactive.

### Permissions (delegated)
* Access Common Data Service (Dataverse) as organization user
* Sign in and read signed in user profile

## TALXIS Data Feed

Used as a resource to verify TALXIS Data Feed access. Doesn't need to be explicitly consented.

## TALXIS Data Feed - Flow

Enables use of TALXIS Data Feed API from Power Automate.

### Permissions (delegated)
* Access Data Feed as Current User
* Sign in and read signed in user profile

## TALXIS - PCF.MapPicker

Map control used in TALXIS applications.

### Permissions (delegated)
* Access Data Feed as Current User
* Sign in and read signed in user profile

## TALXIS - PCF.FilePicker

Custom control that allows users to work with SharePoint or Dataverse documents easily and directly from TALXIS applications. Optionally complemented with [TALXIS - PCF.FilePicker - Group Creation](#talxis---pcffilepicker---group-creation) application.

### Permissions (delegated)
* Read items in all site collections
* Have full access to all files user can access
* Have full access to user files
* Read all groups
* Sign in and read signed in user profile

## TALXIS - PCF.FilePicker - Group Creation

Optional app registration if you want the File Picker PCF to allow for group creation via UI. Primarily used in the previous version of File Picker.

### Permissions (delegated)
* Read and write all groups
* Read and write group memberships
* Sign in and read signed in user profile

## TALXIS - PCF.FilePicker - Advanced Permissions

TBD

## TALXIS - PCF.CompanyProfileHinting

Company autosuggest control used in TALXIS applications.

### Permissions (delegated)
* Access Data Feed as Current User
* Sign in and read signed in user profile

## TALXIS - PCF.AddressPicker

Address autosuggest control used in TALXIS applications.

### Permissions (delegated)
* Access Data Feed as Current User
* Sign in and read signed in user profile

## TALXIS - Client

Used in an [authentication broker (internal)](https://dev.azure.com/thenetworg/INT0015/_wiki/wikis/INT0015.wiki/4301/Authentication-Flow?anchor=authentication-broker) scenario, where a token is required from PCF or custom code. It prevents users from getting multiple authentication popups due to 3rd party cookie restrictions.

## TALXIS - PCF.PeopleGrid

* INT0015 - PoepleGrid connects accounts with contacts and allows tracking of additional metadata such as contact's function withing specified account from Data Feed.
* PCT21016 - PoepleGrid connects accounts with contacts and allows tracking of extensive amount of metadata from Data Feed.

### Permissions (delegated)
* Access Data Feed as Current User
* Sign in and read signed in user profile

0 comments on commit 4b62b73

Please sign in to comment.