Authentication to an Activate API using OAuth through Azure

setup activate application in azure this document assumes the activate application in azure has already been setup, if not refer to docid\ dvldwfrmw9stjonbqslt6 register client application login to your organisation’s azure portal and select manage entra id click app registrations click new registration, enter the following values name = “acme test client”, enter your client name, we will use “acme test client” as an example in this document supported account types = “accounts in this organizational directory only (\<your domain> only single tenant)” redirect uri can be left blank click register button copy the application (client) id for later create secret for client application the client will use this to acquire a token which it will send to the activate api for authentication navigate back to app registrations and select the previously created acme test client application select certificates & secrets from the left click new client secret enter values description = description of the secret select an appropriate expires value click add copy the value of the new secret, this will be used by the client application to obtain an access token this should be treated like a password and only shared with appropriate parties configure app role in azure portal access the enterprise applications list select the activate application (name may differ in your environment) click the properties menu option on the left if assignment required? option is set to yes proceed to step #5, if set to no then proceed to api permissions section navigate back to app registrations and the activate application select the app roles menu option click create app role enter values display name = “activate custom api access” allowed member types = “applications” value = “activate custom api access” description = “role to allow access to activate custom apis” do you want to enable this app role? = checked click apply api permissions navigate to app registrations select your client application this is the app that will be connecting to the api select menu option api permissions assign activate custom api access role, only required if assignment required is turned on as per previous section click add a permission click tab my apis click activate application if the application is not available in the my apis tab, try the apis my organization uses check activate custom api access from the activate permissions list click add permissions button add user read permission to allow application to read its profile click add a permission select microsoft graph select delegated permissions enter “user read” into the search drop down user check user read, sign in and read user profile click add permissions button click grant admin consent for \<domain> confirm admin consent other configuration in order to get the correct token content, the version of the token must be explicitly configured in the application manifest navigate to the activate app registration click the manifest option on the left change accesstokenacceptedversion to “2” if it isn’t set to that already click save setup activate api create a userreference parameter named oauth < application id of client application in azure > on the activate custom api this authorises the application to access the api in activate point the user to an activate api user role member or user with execute/read security rights on the api resource set authentication = oauth client example this is an activate script which can be used to test the connection to the activate api, acting as the client //@import system net http //@import microsoft identity client using system; using system collections generic; using system net http; using system threading tasks; using innovation activate; using microsoft identity client; class script scriptbase { string url = "\<full path to api here>"; string appsecret = "\<test client secret here>"; string tenantname = "\<tenant name here>"; string appid = "\<client app id here>"; confidentialclientapplication application; public void main() { // get activate application, this forms the scope of the access token request string scope = $"api //{evaluator getstring("=//resources/activedirectory/external directories/azure/applicationid")}/ default"; httpclient http = gethttpclient(new list\<string> { scope }); trace writeline("logged in"); httprequestmessage m = new httprequestmessage(httpmethod get, url); httpresponsemessage r = http sendasync(m) result; trace writeline(string format("{0} {1}", r statuscode tostring(), r reasonphrase)); trace writeline(string format("\[{0}]", r content readasstringasync() result)); } // get an authenticated microsoft graph service client public httpclient gethttpclient(list\<string> scopes) { httpclient httpclient = new httpclient(); string accesstoken = task run\<string>(() => { return getappaccesstokenasync(scopes); }) result; // append the access token to the request httpclient defaultrequestheaders add( "authorization", string format("bearer {0}", accesstoken) ); return httpclient; } // get an access token first tries to get the token from the token cache public async task\<string> getappaccesstokenasync(list\<string> scopes) { // wrong token version is being returned string authority = string format( @"https //login microsoftonline com/{0}/oauth/v2 0/authorize", tenantname ); var application = confidentialclientapplicationbuilder create(appid) withauthority(azurecloudinstance azurepublic, tenantname) withclientsecret(appsecret) build(); authenticationresult result = await application acquiretokenforclient(scopes) executeasync(); return result accesstoken; } } troubleshooting true 330,331 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type