Service to Service Authentication
  • 24 Aug 2020
  • 3 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Service to Service Authentication

  • Print
  • Share
  • Dark
    Light

Microsoft Community Training APIs support Service to Service (S2S) authentication to allow any external service to call the APIs without requiring a user to explicitly login to any MCT instance.

Please follow the following steps to enable any external service to call Microsoft Community Training APIs,

Step 1: Register Service Application

Follow the steps mentioned in this document under “Register the Service app”.

Note

Only follow the steps mentioned under this heading. Enter the role value as created in “Register Service application” step above.

Save the value of Tenant ID, Tenant Name ({anyName}.onmicrosoft.com), Application ID URI, Value (DaemonAppRole) of the Role that was created while editing the manifest in the above steps. These will be required later.

Step 2: Register Client Application(s)

For each of the applications which would call the Microsoft Community Training API’s, follow the steps under Approach 1 or Approach 2 below based on the type of application which would call the APIs.

Approach 1: If the API calling service is hosted in Azure (List of the services)

Steps mentioned below are for Azure function, similar steps can be followed for other services.

  1. Follow the steps mentioned in this document to Create a new Azure Function App.
  2. Go the function app created above and click on the “Identity” section on the left.
    (i). Switch the status to “on”. Click on “Save”
    (ii). Copy the value of “Object Id” shown on the screen thereafter. It will be required later.
    image.png

(iii). Follow the steps mentioned in this document to generate a token to call the APIs. A resource parameter is required to generate the token. For this parameter, provide the value of the Application ID URI as created in “Register Service application” step. (e.g. api://{Id})

Note

Any coding language can be used based on the runtime stack selected while creating the Function App.

Approach 2: Alternatively, creating a client by using Client Credentials Flow

Follow the steps mentioned in this document under “Register the Client app”.

Note

Only follow the steps mentioned under the heading “Register the Client app”.

The link above also contains a sample using which the client can generate tokens to call APIs.

Step 3: Configure the Azure App Service

  1. Go the resource group created as part of the Microsoft Community Training deployment
  2. Under the list of resources, go the “App Service” resource
Note

The name of this resource would be the same name which was provided as the Website name at the time of deployment creation.

There is another App Service resource which is created for the function app. (The name of this resource would usually have “-fa-” in the name). This should NOT be selected.

  1. After going to the App Service resource, Click on the “Configuration” section on the left.
  2. Click on “New application setting”
  3. Under “Name”, add ServiceAuthEnabled, and under “Value”, add true. Click “OK”.

image.png

  1. Similarly add the following values in the Configuration. Click on “Save” after adding all these values and restart the App Service.
Values
  1. ServiceAuthAudience: Application ID URI created in “Register Service application” step

  2. ServiceAuthTenantName: Tenant name retrieved in “Register Service application” step

  3. ServiceAuthTenantId: Tenant Id retrieved in “Register Service application” step

  4. ServiceObjectIds: This is required only if the Client type is of type Approach 1 above. Enter the Object Id retrieved above. If multiple clients are created of this type, enter all of them here, separated by a semi-colon. (ObjectId_1;ObjectId_2…)

  5. ServiceApplicationIds: This is required only if the Client type is of type Approach 2 above. Enter the Application Id retrieved above. If multiple clients are created of this type, enter all of them here, separated by a semi-colon. (ApplicationId_1;ApplicationId_2…)

  6. ServiceAuthRole: This is required only if the Client type is of type 2. b) above. Enter the role value as created in the manifest in the “Register Service application” step above.

The client(s) created above should now be able to call the Microsoft Community Training APIs. Add the token(s) generated above to the Rest APIs exposed by the platform.

Was This Article Helpful?