Creating a Custom OAuth Application
Creating a Custom OAuth Application
CData embeds OAuth Application Credentials with CData branding that can be used when using Azure to connect via either a Desktop Application or a Headless Machine. However, in all cases, connecting to Azure via a Web application requires creating a custom OAuth application. You might also want to create a custom OAuth application to:- control branding of the Authentication Dialog,
- control the redirect URI that the application redirects the user to after the user authenticates, or
- customize the permissions that you are requesting from the user.
The following sections describe how to create a custom OAuth application using either the Azure Portal or Sharepoint App.
Azure Portal
To obtain OAuth values for your app, the OAuthClientId and OAuthClientSecret, and register a custom OAuth application:
- Log in to the Azure Portal.
- In the left-hand navigation pane, navigate to Azure Active Directory > App Registrations.
- Click Add.
- Enter an application name.
- Select Any Azure AD Directory - Multi Tenant.
- Set the redirect url to http://localhost:33333 (the connector's default) or set a different port of your choice.
- Set CallbackURL to the exact reply URL you defined.
The Portal creates the new application. - Navigate to the "Certificates & Secrets" section.
- Create a client secret for the application, and select a duration.
- After you save the key, the key value is displayed once. Immediately, set OAuthClientSecret to the displayed value. Set OAuthClientId to the Application Id.
- Select API Permissions.
- Click Add. If your application will only connect within a user context, specify Delegated Permissions.
- In the API Permissions section, click on Add a permission and select SharePoint. Choose the permissions you want your app to have. To view and edit lists, you have to select (at least) the AllSites.Manage permission.
- Save your changes.
Note: If you have selected to use permissions that require admin consent, you can grant them from the current tenant on the API Permissions page. Otherwise, see "OAuth: Admin Consent", below.
OAuth: Admin Consent
Admin consent refers to when the Admin for an Azure Active Directory tenant grants permissions to an application that requires an administrator in your organization to consent to the use case. The embedded application within the CData Tableau Connector for Microsoft SharePoint, contains no permissions that require administrator consent. Therefore, this information applies only to custom applications.When creating a new OAuth application in the Azure Portal, you must specify which permissions the application requires. Some permissions may be marked with "Admin Consent Required". For example, all Groups permissions require Admin Consent. If your application requires admin consent, there are two ways you can do this.
The easiest way to grant admin consent is to have an administrator log into the Azure Portal and navigate to the application you have created in App Registrations. Under API Permissions, click Grant Consent, which grants permissions on the tenant under which it was created.
If your organization has multiple tenants or you need to grant application permissions for other tenants outside your organization, use the GetAdminConsentURL stored procedure to generate the Admin Authorization URL. After the OAuth application is successfully authorized, it returns a Boolean indicating that permissions have been granted.
After the administrator has approved the OAuth Application, you can continue to authenticate.
Sharepoint App
To create a custom OAuth application and obtain the connection properties for the OAuth authentication using Sharepoint App, you must first register the add-in, then grant permissions to that add-in.
Registering the Add-In
- Navigate to the Register Add-In page by entering the url as : https://{sitename}.SharePoint.com/_layouts/15/appregnew.aspx .
- In the "App Information" section, click Generate, which is located next to the Client Id and Client Secret textboxes to generate the respective values.
- Set Title, App Domain, and Redirect URI by filling in their respective text boxes.
- Click Create.
The add-in is registered, and the Sharepoint App displays the created information.
Granting Permissions to the Add-In
- Navigate to the SharePoint site.
- Enter the URL: https://{sitename}-admin.sharepoint.com/_layouts/15/appinv.aspx in the browser. This redirects to the Grant Permission page.
- At App Id, enter the Client ID which you generated earlier, and click Lookup. This populates the values in the other text boxes (Title, App Domain and Redirect URL).
- Enter the following permission request in XML format:
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl"/> </AppPermissionRequests>
- Click Create. Sharepoint App displays a permission consent dialog. To grant the permissions, click Trust It.