authentification via secret OK, authentification via certificat in progress

Author: freddycoder

CertUtil/ExpoertKeysFromPfx.ps1

@@ -0,0 +1,11 @@
+Write-Host "Exporting keys from PFX file..."
+
+$pfxFile = "bc-erabliereapi-connector-certificate.pfx"
+$keyFile = "bc-erabliereapi-connector-certificate.key"
+$certFile = "bc-erabliereapi-connector-certificate.crt"
+$password = "1234"
+
+openssl pkcs12 -in $pfxFile -nocerts -out $keyFile -nodes -password pass:$password
+openssl pkcs12 -in $pfxFile -clcerts -nokeys -out $certFile -password pass:$password
+
+Write-Host "Exporting keys from PFX file... Done"

CertUtil/GenerateCert.ps1

@@ -0,0 +1,5 @@
+openssl genrsa -out certificateprivate.key 2048
+openssl req -new -key certificateprivate.key -out certificate.csr
+openssl x509 -req -days 365 -in certificate.csr -signkey certificateprivate.key -out certificate.crt
+openssl pkcs12 -export -out certificate.pfx -inkey certificateprivate.key -in certificate.crt
+openssl rsa -in certificateprivate.key -pubout -out certificatepublickey.pem

CertUtil/bc-erabliereapi-connector-certificate.crt

@@ -0,0 +1,26 @@
+Bag Attributes
+    localKeyID: 01 00 00 00 
+    1.3.6.1.4.1.311.17.3.71: 4C 00 41 00 50 00 54 00 4F 00 50 00 2D 00 46 00 52 00 45 00 44 00 00 00 
+subject=CN = localhost
+
+issuer=CN = localhost
+
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIQahlZTYCiGbtFhqdk/8uZoTANBgkqhkiG9w0BAQUFADAU
+MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjQwODE1MDIyNDUwWhcNMjUwODE1MDI0
+NDUwWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDiTNRDz8hGr+DwOHcwB8pmCxLlI5WTGMkanHRGYgI3hgn4bUeo
+qVttwVdOhsMUSnOo837LfS4eEVsWQaTrLnqHqcNjrgjeGADcySA8fuckyRB9vuEl
+7d76n60hIyqkPVXY2F+vGvYdFAYKL2TKFyIN+fm7Z+adAfaHSIjqjcB81ECwig6+
+mt18JmabfxkG+wd3MG7zhA1ypqHLsKzTKxxx0AzsHzYecPwF7aIzcmLMOcP2wFUE
+D5+WzM1wuPw3O1EBcki4HwNDup+1cs1ffvr/UI10QXzejIuMH+yAoD6EFGoynmO1
+VQ3T4OoaPLKvFAwew4ki+F/uQNByGJgWLPAxAgMBAAGjZjBkMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwFAYDVR0RBA0wC4IJ
+bG9jYWxob3N0MB0GA1UdDgQWBBQoFawSkraSN9FoDowkPKtAqy5fAjANBgkqhkiG
+9w0BAQUFAAOCAQEAftfm4Quni6FIsQdN3DG2CTd48RVmRBttHLRfvbmwPZUJ+nBa
+5UXfCszTdd2ZVW5EmgP7saL6KdnKRUDE30M3m8cNULkTF7fy9BPhvU1aVfRBs7OS
+RBIN9RxUS4gKFvukMSsmxeetyezgxxotDKpfyUItqzQHpxa+VYWkOzfjxzwhnqHO
+pINOes3LNpxvYGJlcqjBigdaai4tzJLnmBDuCLFRTzB90VgQ37lcdQzz+w5/SM81
+kIYeQ7P4wN2EUvdGpUklc/BF8raSYmPBsoXGQo/JIDa/3/dgz5STmsSJz0RruZXW
+tdJXayKW5Us89uqyYQbw/rsKiQhvcksE5z8PvQ==
+-----END CERTIFICATE-----

CertUtil/bc-erabliereapi-connector-certificate.key

@@ -0,0 +1,34 @@
+Bag Attributes
+    localKeyID: 01 00 00 00 
+    friendlyName: te-6d866b05-d9bc-4952-b160-8f021585acf1
+    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
+Key Attributes
+    X509v3 Key Usage: 10 
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDiTNRDz8hGr+Dw
+OHcwB8pmCxLlI5WTGMkanHRGYgI3hgn4bUeoqVttwVdOhsMUSnOo837LfS4eEVsW
+QaTrLnqHqcNjrgjeGADcySA8fuckyRB9vuEl7d76n60hIyqkPVXY2F+vGvYdFAYK
+L2TKFyIN+fm7Z+adAfaHSIjqjcB81ECwig6+mt18JmabfxkG+wd3MG7zhA1ypqHL
+sKzTKxxx0AzsHzYecPwF7aIzcmLMOcP2wFUED5+WzM1wuPw3O1EBcki4HwNDup+1
+cs1ffvr/UI10QXzejIuMH+yAoD6EFGoynmO1VQ3T4OoaPLKvFAwew4ki+F/uQNBy
+GJgWLPAxAgMBAAECggEBAKyN0Lz0Ts43hdkl9RvWlOpCP2IhRAgpug5khfS0/uO/
+fRLEoQNmP6Ts69mgwFdUfeSx5ljbVrLuoPnTjCEYC64uMCJtra1LuDyhz8bRLQbL
+mZuIVL1LJ98KqkS+P+GEM1Vph2xJrqh1gDV79epywTDPDzFrBFlsCcMV9/CBreh/
+sNGnMkJs5/1+5alMEI/Zaq+aT7gxa5bO4QGXvcbLM0nqiG06A4r9bpGn3UO6jFu9
+0o9eoNm9GKtWhDREPhoco4fCW4a1OV8rE8W3uuE5NXYdcHFDWhFHm9NPcWmnyd6w
+yZsZS7c6iECPrQjaeTLYS2Ab8r5925F0XK8E5j7gn5ECgYEA8nAvylHDEhzb/h4N
+bk+u2AhH1U3eV70CnprTz8Qir+kRP+c6AQdWZj3IAoGQRjIJQv4HmK/Z7TQ1HOf4
+H7Y+UoMynYkb152BDXoC0H05+W5ftEJ4knsJUvyAvlkKa+T46IdBZW8ZvwNfs5Io
+7ojNyBm90mPPWA7bs54KV97AjXsCgYEA7vWJxFhbEihw0EICiDV0FvYQtJnb3rD5
++aOxcf+OjOzrNuEazyPYNIixYZZX+m5ok8GSro6J/IVkJ+c8vZx0CopEfONQItYC
+OqsEHh28QLQxGLmFe0fcaifrDngcT4ubP7U5rAoT4orLCR6mrfiSIl7cQ/YixTJo
+Au4nWK8460MCgYEA6vc6Ci8WDY701CQSRlBqF6xm2l++13Azgr5x/NKN/8m2UyXq
+PKb84NiN6Yfi6XWDLm9/s0bzwoav11UnUKzTWCsZuj7xQha/xezzn1dPAeUsUkt+
+ChG+5rQcnt8zT4C6kLrN8d4sqMk/To2gqBbkwkPYinj7ss+rtTi9s44LNtMCgYBa
+eAOMnpb8LOtpLVSgFPy6pLZ2abngechqRxsrOcHSgPAceuUXf06ftRDTDYSJf7uA
+FU1fYP/E5wugP9+zOcSFKQv87GKuja+SXqTUchWPuajM35A1uGMunaZUeAzf4M8K
+M6Z+B+K3ZiywazZXr0BEWv2xjUJkvky6r0eeP9ig2QKBgQDW6XdOL9F7y1wa9aoC
+ssRFOm7WN4yBbj0F+1/q+SvLVeyVOgNsV6NpeAJDysEeNO55V93DhKFnXDOstd6K
+E9KiSzo4OdDm6OD1u7E21zeJx6GxohnnbZ6Z7CC7dLMTtReHVsA1uQjtLtVe8iSb
+/vggr5LURJZV+dg/UY7O50gcnw==
+-----END PRIVATE KEY-----

CertUtil/bc-erabliereapi-connector-certificate.pfx

@@ -0,0 +1,11 @@
+Write-Host "Generate a new self-signed certificate"
+$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "localhost" -KeySpec KeyExchange
+
+# Export the certificate as a PFX file
+$certPath = "C:\certs\bc-erabliereapi-connector-certificate.pfx"
+$certPassword = ConvertTo-SecureString -String "1234" -Force -AsPlainText
+Export-PfxCertificate -Cert $cert -FilePath $certPath -Password $certPassword
+
+# Export the certificate as a CER file
+$certPath = "C:\certs\bc-erabliereapi-connector-certificate.cer"
+Export-Certificate -Cert $cert -FilePath $certPath

CreateSelfSignedCert.ps1

@@ -47,52 +47,71 @@ codeunit 50126 "API Web Service"
         RequestMessage: HttpRequestMessage;
         RequestContent: HttpContent;
         TokenOutStream: OutStream;
+        Cert: Record "Isolated Certificate";
+        ClientAssertion: Text;
+        HttpAuthUtils: Codeunit "HttpAuthUtils";
     begin
         //Create webservice call
         RequestMessage.Method := 'POST';
+
+        if ApiSetup.Audiance = '' then
+            Error('Please set the audiance parameter in the EAPI Setup Page. Ex: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token');
+
         RequestMessage.SetRequestUri(ApiSetup.Audiance);
 
         //Create webservice header
         RequestMessage.GetHeaders(RequestHeader);
 
-        //Payload needed? This might as well be a different implementation!
-        //It's just an example where the credentials are stored as a json payload
+        if ApiSetup."Client Id" = '' then
+            Error('Please set the Client Id parameter in the EAPI Setup Page');
+
+        if (ApiSetup."Client Secret" = '') and (ApiSetup."Client Certificate" = '') then
+            Error('Please set the Client Secret or Client Certificate parameter in the EAPI Setup Page');
+
+        if (ApiSetup.Scope = '') then
+            Error('Please set the Scope parameter in the EAPI Setup Page');
+
+        if ApiSetup."Authentication Method" = ApiSetup."Authentication Method"::"Client Secret" then begin
+            AuthPayload := 'grant_type=client_credentials&client_id=' + ApiSetup."Client Id" + '&client_secret=' + ApiSetup."Client Secret" + '&scope=' + ApiSetup."Scope";
+        end
+        else begin
+            Cert := HttpAuthUtils.GetCertificate(ApiSetup."Client Certificate", ApiSetup."Client Certificate Password");
 
-        //Create json payload
-        JObjectRequest.Add('client_id', ApiSetup."Client Id");
-        JObjectRequest.Add('client_secret', ApiSetup."Client Secret");
-        JObjectRequest.WriteTo(AuthPayload);
+            ClientAssertion := HttpAuthUtils.ComputeClientAssertion(ApiSetup, Cert);
+
+            AuthPayload := 'grant_type=client_credentials&client_id=' + ApiSetup."Client Id" + '&Scope=' + ApiSetup.Scope + '&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=' + ClientAssertion
+        end;
 
-        //Get Request Content
         RequestContent.WriteFrom(AuthPayload);
 
         RequestContent.GetHeaders(RequestHeader);
+        RequestHeader.Add('charset', 'UTF-8');
         RequestHeader.Remove('Content-Type');
-        RequestHeader.Add('Content-Type', 'application/json');
+        RequestHeader.Add('Content-Type', 'application/x-www-form-urlencoded');
 
         RequestMessage.Content := RequestContent;
 
         //Send webservice query
         WebClient.Send(RequestMessage, ResponseMessage);
 
-        if ResponseMessage.IsSuccessStatusCode() then begin
-            ResponseMessage.Content().ReadAs(ResponseText);
+        ResponseMessage.Content().ReadAs(ResponseText);
 
+        if ResponseMessage.IsSuccessStatusCode() then begin
             if not JObjectResult.ReadFrom(ResponseText) then
-                Error('Error Read JSON');
+                Error('API Web Service Error. Error Read JSON');
 
             TokenResponseText := GetJsonToken(JObjectResult, 'access_token').AsValue().AsText();
-            TokenExpiry := GetJsonToken(JObjectResult, 'expiry_date').AsValue().AsDateTime();
+            TokenExpiry := CurrentDateTime() + GetJsonToken(JObjectResult, 'ext_expires_in').AsValue().AsInteger();
 
         end else
-            Error('Webservice Error');
+            Error('API Web Service Error. Reason: %1 Message: %2', ResponseMessage.ReasonPhrase, ResponseText);
 
         exit(TokenResponseText);
     end;
 
     local procedure GetJsonToken(JsonObject: JsonObject; TokenKey: Text) JsonToken: JsonToken;
     begin
         if not JsonObject.Get(TokenKey, JsonToken) then
-            Error(StrSubstNo('Token %1 not found', TokenKey));
+            Error(StrSubstNo('API Web Service Error. Token %1 not found', TokenKey));
     end;
 }

erabliereapi/APIWebService.al

@@ -20,17 +20,45 @@ table 50125 "EAPI Setup"
         {
             DataClassification = CustomerContent;
         }
+        field(13; "ErabliereAPI Client Id"; Text[39])
+        {
+            DataClassification = CustomerContent;
+        }
         field(12; "Scope"; Text[150])
         {
             DataClassification = CustomerContent;
         }
         field(15; "Client Secret"; Text[150])
         {
             DataClassification = CustomerContent;
+
+            trigger OnValidate()
+            begin
+                if (Rec."Client Certificate" = '') and (Rec."Client Secret" <> '') then
+                    Rec."Authentication Method" := Rec."Authentication Method"::"Client Secret";
+            end;
         }
         field(16; "Client Certificate"; Text[150])
         {
             DataClassification = CustomerContent;
+
+            trigger OnValidate()
+            var
+                CertificateManagement: Codeunit "Certificate Management";
+                Cert: Record "Isolated Certificate";
+            begin
+                if (Rec."Client Certificate" = '') and (Rec."Client Secret" = '') and Cert.FindFirst() then
+                    Rec."Client Certificate" := Cert.Code;
+            end;
+        }
+        field(17; "Client Certificate Password"; Text[150])
+        {
+            DataClassification = CustomerContent;
+        }
+        field(18; "Authentication Method"; Option)
+        {
+            DataClassification = CustomerContent;
+            OptionMembers = "Client Secret","Client Certificate";
         }
         field(20; "API Token"; Blob)
         {

erabliereapi/EAPISetup.al

@@ -0,0 +1,27 @@
+page 50134 "EAPI Setup List"
+{
+    PageType = List;
+    UsageCategory = Lists;
+    SourceTable = "EAPI Setup";
+    CardPageId = "EAPI Setup List";
+
+    layout
+    {
+        area(content)
+        {
+            repeater("EAPI Setup")
+            {
+                field(Code; Rec.Code)
+                {
+                    ApplicationArea = All;
+                    ToolTip = 'The code of the EAPI setup.';
+                }
+
+                field("API URL"; Rec."API URL")
+                {
+                    ApplicationArea = All;
+                }
+            }
+        }
+    }
+}

erabliereapi/EAPISetupList.al

@@ -0,0 +1,73 @@
+page 50132 "EAPI Setup Page"
+{
+    PageType = Card;
+    ApplicationArea = All;
+    UsageCategory = Tasks;
+    SourceTable = "EAPI Setup";
+
+    layout
+    {
+        area(Content)
+        {
+            group(General)
+            {
+                field(Code; Rec.Code)
+                {
+                    ApplicationArea = All;
+                    ToolTip = 'The code of the EAPI setup.';
+                    ShowMandatory = true;
+                }
+                field("API URL"; Rec."API URL")
+                {
+                    ApplicationArea = All;
+                    ShowMandatory = true;
+
+                    trigger OnValidate()
+                    begin
+                        if Rec."API URL".EndsWith('/') then
+                            Rec."API URL" := Rec."API URL".Substring(0, StrLen(Rec."API URL") - 1);
+                    end;
+                }
+                field("Client Id"; Rec."Client Id")
+                {
+                    ApplicationArea = All;
+                    ShowMandatory = true;
+                }
+                field("Audiance"; Rec."Audiance")
+                {
+                    ApplicationArea = All;
+                    ShowMandatory = true;
+                }
+                field("Scope"; Rec."Scope")
+                {
+                    ApplicationArea = All;
+                    ShowMandatory = true;
+                }
+                field("Client Secret"; Rec."Client Secret")
+                {
+                    ApplicationArea = All;
+                }
+                field("Client Certificate"; Rec."Client Certificate")
+                {
+                    ApplicationArea = All;
+                }
+                field("Client Certificate Password"; Rec."Client Certificate Password")
+                {
+                    ApplicationArea = All;
+                }
+                field("Authentication Method"; Rec."Authentication Method")
+                {
+                    ApplicationArea = All;
+                }
+                field("API Token"; Rec."API Token")
+                {
+                    ApplicationArea = All;
+                }
+                field("Token valid until"; Rec."Token valid until")
+                {
+                    ApplicationArea = All;
+                }
+            }
+        }
+    }
+}