Unanswered

Generate Auth Token in PCF control

(0) Share

Report

Posted on by pratikgolchha Microsoft Employee

Hi All,

We are trying to create a PCF control and wants to generate access token to call our APIs. It should be user token. Can we do that in PCF?

Regards

Pratik

Categories:

Power Apps Pro Dev & ISV

I have the same question (0)

All responses (6)

Answers (0)

Community Power Pla... Microsoft Employee on at

Like (1)

Report
Copy link

Link copied!

I believe you should look at msal-react.

Was this reply helpful? Yes No
Joeri Stroy 49 on at

Like (0)

Report
Copy link

Link copied!

Client credential flows are blocked in the browser. They need to be executed from the backend. Pcf controls run client side. So you won't be able to do it directly in pcf.

So I would create a custom api that calls the auth endpoint and gets the token.

Then you can call that custom api from your pcf and you have a bearer token you can use in your api calls

Was this reply helpful? Yes No
Tim Robinson 50 on at

Like (0)

Report
Copy link

Link copied!

hi @joeristroy I am not the OP but I have another question about this.

I don't quite understand how your solution is supposed to work. how can the custom API verify which user is logged in unless some credentials are passed into it?

Was this reply helpful? Yes No
Joeri Stroy 49 on at

Like (0)

Report
Copy link

Link copied!

It can't.

We were talking about a 3th party api, not the dynamics web api.
And the process to obtain a token differs from api to api.

So unless the 3th party api is also using the same Microsoft tenant for it's authentication you probably won't be able to identify the logged in user.

If you are just trying to call the dynamics web api you don't need to authenticate. That will work oob

Was this reply helpful? Yes No
Tim Robinson 50 on at

Like (0)

Report
Copy link

Link copied!
OK Thanks for that response - it's good to know I didn't miss anything.

FWIW here's the workaround I used, which is rather elaborate but was the best I could come up with:

in Dataverse, create a new table to store one-time-passwords (OTP)
when you want to call the custom API from a PCF control, generate a random OTP from javascript and insert that into the OTP table
then invoke the API passing in the OTP (as a header, cookie, or whatever)
API connects to dataverse using a preconfigured client secret (i.e. not impersonating the user)
API retrieves the specified OTP row and then knows the user is authenticated and can get their user id from the row
API deletes the OTP from the table once it has been retrieved
Obviously this mechanism doesn't allow the third party API to impersonate the user in Dataverse but it does at least allow it to verify that it has been called by a logged-in user

Was this reply helpful? Yes No
Hari-Orby 2 on at

Like (0)

Report
Copy link

Link copied!

Hi Tim,

Thanks for the reply, do you have any detailed reference to the workaround you mentioned. I would like to try that. Thanks.

Was this reply helpful? Yes No