How data flows when BlackBerry Work uses Office
365 modern authentication
Office 365modern authentication
Modern authentication simplifies authentication for developers by providing identity as a service (IaaS), with support for industry-standard protocols such as OAuth 2.0. Any app that wants to outsource authentication to
AzureActive Directory must first be registered in
AzureAD, which registers and uniquely identifies the app in the directory, with an app ID.
AzureAD is responsible for verifying the identity of users and apps that exist in an organization’s directory, and then issuing security tokens for these users and apps after successful authentication. When using the Azure Active Directory Authentication Libraries (ADAL), much of the flow is handled for the developer. When troubleshooting an issue, it is helpful to understand the flow of data so you can focus on the point where the data flow breaks.
- Using a browser pop-up, theBlackBerry Workapp makes a request to the authorization endpoint inAzureAD. This request includes the app ID, the redirect URI of theBlackBerry Workapp (as shown in theAzurePortal), and the app ID URI for the web API. If the user hasn’t already signed in, they are prompted to sign in again.
- AzureAD authenticates theBlackBerry Workuser and the user will be required to consent if they haven’t already done so. After granting consent and upon successful authentication,AzureAD issues an authorization code response back to the redirect URI used byBlackBerry Work.
- WhenAzureAD issues an authorization code response back to the redirect URI, theBlackBerry Workapp stops browser interaction and extracts the authorization code from the response. Using this authorization code, theBlackBerry Workapp sends a request to theAzureAD token endpoint that includes the authorization code, details about theBlackBerry Workapp (app ID and redirect URI), and the desired resource (app ID URI for the web API).
- The authorization code and information about theBlackBerry Workapp and web API are validated byAzureAD. After successful validation,AzureAD returns two tokens: a JWT access token and a JWT refresh token. In addition,AzureAD returns basic information about the user, such as their display name and tenant ID.
- Over HTTPS, theBlackBerry Workapp uses the returned JWT access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the web API. The web API then validates the JWT token and, if validation is successful, returns the desired resource.
- When the access token expires, theBlackBerry Workapp will receive an error that indicates that the user needs to authenticate again. If theBlackBerry Workapp has a valid refresh token, it can be used to acquire a new access token without prompting the user to sign in again. If the refresh token expires, theBlackBerry Workapp will need to interactively authenticate the user once again.