Skip Navigation
  1. BlackBerry Docs
  2. Configuring Office 365 Modern Authentication for BlackBerry Dynamics Apps
  3. Troubleshooting
  4. How data flows when BlackBerry Work uses Office 365 modern authentication

How data flows when
BlackBerry Work
 uses
Office 365
 modern authentication

Modern authentication simplifies authentication for developers by providing identity as a service (IaaS), with support for industry-standard protocols such as OAuth 2.0. Any app that wants to outsource authentication to
Entra
 Active Directory must first be registered in
Entra
 AD, which registers and uniquely identifies the app in the directory, with an app ID.
Entra
 AD is responsible for verifying the identity of users and apps that exist in an organization’s directory, and then issuing security tokens for these users and apps after successful authentication. When using the
Microsoft
 Authentication Libraries (MSAL), much of the flow is handled for the developer. When troubleshooting an issue, it is helpful to understand the flow of data so you can focus on the point where the data flow breaks.
  1. Using a browser pop-up, the
    BlackBerry Work
     app makes a request to the authorization endpoint in
    Entra
     AD. This request includes the app ID, the redirect URI of the
    BlackBerry Work
     app (as shown in the
    Entra
     Portal), and the app ID URI for the web API. If the user hasn’t already signed in, they are prompted to sign in again.
  2. Entra
     AD authenticates the
    BlackBerry Work
     user and the user will be required to consent if they haven’t already done so. After granting consent and upon successful authentication,
    Entra
     AD issues an authorization code response back to the redirect URI used by
    BlackBerry Work
    .
  3. When
    Entra
     AD issues an authorization code response back to the redirect URI, the
    BlackBerry Work
     app stops browser interaction and extracts the authorization code from the response. Using this authorization code, the
    BlackBerry Work
     app sends a request to the
    Entra
     AD token endpoint that includes the authorization code, details about the
    BlackBerry Work
     app (app ID and redirect URI), and the desired resource (app ID URI for the web API).
  4. The authorization code and information about the
    BlackBerry Work
     app and web API are validated by
    Entra
     AD. After successful validation,
    Entra
     AD returns two tokens: a JWT access token and a JWT refresh token. In addition,
    Entra
     AD returns basic information about the user, such as their display name and tenant ID.
  5. Over HTTPS, the
    BlackBerry Work
     app uses the returned JWT access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the web API. The web API then validates the JWT token and, if validation is successful, returns the desired resource.
  6. When the access token expires, the
    BlackBerry Work
     app will receive an error that indicates that the user needs to authenticate again. If the
    BlackBerry Work
     app has a valid refresh token, it can be used to acquire a new access token without prompting the user to sign in again. If the refresh token expires, the
    BlackBerry Work
     app will need to interactively authenticate the user once again.