MS-CRM 2016 - Authenticate against Azure AD as Confidential/Daemon with logged-in user, NO REDIRECT

Question

I have a very specific setup:

---

Logged-In CRM User - Client-Script

makes RestCall to

MyRestServer (Node.js)

makes WebApi-Call to

CRM

---

NOTE : NO User-Redirect (no adal)! everything must work "under the hood", the user must not log-in or anything (as he is already)

---

MyRestServer wants to fire requests against the CRM in behalf of the Logged-In CRM User

What I achieved:

• MyRestServer has a static username, pw, clientId, clientsecret and aquires a token for a admin-user.
• with the aquired token I can trigger any operation on the WEB-API
• But I want to act as the Logged-In User (with his restrictions)

How can I achieve this? As I can not get the username and password of the Logged-In user.

I can send to MyRestServer any information the browser provides (like tokens) but I dont know how I can transform/evaluate them to act as MyRestServer with Logged-In user rights

Answer 1

If you are using AAD to authenticate your users, or if your CRM is using OAuth 2.0 flow to authenticate your users. After the user finishing authentication, you can get their access tokens. Which should be in the JWT format. You can use any JWT modules to decode the access tokens. You can get the payload of the users.

E.G., if your authentication flow is using OAuth 2.0, you can get the access tokens in following similar format, eyJ0....eyJh....xyz...., you can quickly decode the payload on https://jwt.io/.

In node.js, you can leverage https://github.com/auth0/node-jsonwebtoken to decode the token.

var jwt = require('jsonwebtoken');
token= '<access_token>';
var decoded = jwt.decode(token);

// get the decoded payload and header
var decoded = jwt.decode(token, {complete: true});
console.log(decoded.header);
console.log(decoded.payload)