Creating a Custom OAuth Application
Creating a Custom OAuth Application
Microsoft OneDrive supports authentication using Azure AD and Azure Service Principal, both of which are OAuth-based.This topic describes how to:
- create and register custom OAuth application for Azure AD or Azure Service Principal
- provide Admin Consent to a custom OAuth application
Azure AD
In portal.azure.com:- Log in to https://portal.azure.com.
- In the left-hand navigation pane, select Azure Active Directory, then applicationRegistrations.
- Click New registration.
- Enter a name for the application.
- Select the desired tenant setup: single- or multi-tenant, and public or private use.
- If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the CData JDBC Driver for Microsoft OneDrive. Otherwise, the authentication attempt fails with an error.
- If your application is for private use only, specify Accounts in this organization directory only.
- If you want to distribute your application, choose one of the multi-tenant options.
- Set the redirect url to http://localhost:33333 (the driver's default) OR specify a different port and set CallbackURL to the exact reply URL you defined.
- Click Register to register the new application. An application management screen displays.
Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant. - Navigate to Certificates & Secrets and define the application authentication type. There are two types of authentication available: certificate (recommended) or client secret.
- For certificate authentication: In Certificates & Secrets, select Upload certificate, then upload the certificate from your local machine.
- For creating a new client secret: In Certificates & Secrets, select New Client Secret for the application and specify its duration. After the client secret is saved, Microsoft OneDrive displays the key value. Copy this value, as it is displayed only once. This value becomes the OAuthClientSecret.
- Select API Permissions > Add > Delegated permissions.
- Select the Microsoft Graph API and then add the delegated permissions Files.ReadWrite.All or Files.Read.All. Hit the 'Grant admin consent' button afterwards for the new permissions to take effect.
- Save your changes.
- If you have specified the use of permissions that require admin consent, you can grant them from the current tenant on the API Permissions page.
Azure Service Principal
To use Azure Service Principal authentication, you must set up the ability to assign a role to the authentication application, then register an application with the Azure AD tenant to create a new Service Principal. That new Service Principal can then leverage the assigned role-based access control to access resources in your subscription.In portal.azure.com:
- Create a custom OAuth AD application, as described above.
- Use the search bar to search for the Subscriptions service.
- Open the Subscriptions page.
- Select the subscription to which to assign the application.
- Open the Access control (IAM).
- Select Add > Add role assignment. Microsoft OneDrive opens the Add role assignment page.
- Assign your custom Azure AD application the role of Owner.
Admin Consent
Some custom applications require administrative permissions to operate within an Azure Active Directory tenant. Admin consent can be granted when creating a new custom OAuth application, by adding relevant permissions that are already marked with "Admin Consent Required". Admin consent is also required to use Client Credentials in the OAuth flow.
To grant admin consent:
- Have an admin log in to portal.azure.com.
- Navigate to App Registrations and find the custom OAuth application you created.
- Under API Permissions, click Grant Consent.