Hi all,
I posted this in a Dynamics forum, but was asked to post here.
Can I flow the logged-in user credentials to a Web API that is running in my customer's tenant in Azure?
Background:
I'm building a Web API in Azure using .Net Core 2.1. I have a web app that will access this API, and plug-ins from various systems will access it as well - Dynamics AX, Dynamics CRM, Dynamics 365, etc. This application will be installed into the tenants of other customers. So the caller is the plug-in, not the other way around. The plug-ins will be installed into the customer's instance of the Dynamics systems.
Right now, the API is secured using Oath2, with a client ID/password - in other words, not using the credentials of the calling user. That's because I can't get the credentials of the user in an Oath2 form without requiring them to log in again.
Note that my team controls the web app and the plug-ins.
Is there any way, in a plugin like I mentioned above, where I can get the user's credentials in a way that I could pass to the API without requiring another login?
I would prefer to use AAD/OpenID because:
1) I really don't like the idea of a shared secret
2) we are thinking about allowing our customers to write to the API as well
3) My customer would like to enforce a 'Named User' licensing model. Right now, I'm relying on the plug-ins to send me the name of the user. If we allow #2, the customer could write code that always sends me the same name, bypassing the Named User licensing requirements.
All of the examples (for every plug-in type) show getting a token by using a shared secret.
Thanks in advance.