I have extensive experience with Micrsoft Power Platform and REST API’s and the Microsoft authentication protocol. I can emulate all of the authentication steps in POSTMAN so my question is more directed to how I need to set up Bubble to execute the authentication.
I have avoided third party plugins as I do not want to expose any of the Microsoft Tenant keys etc. outside of my Bubble app.
I have approached this from two different methods.
- Manually setting up users, running API’s to authenticate users and obtain access tokens etc.
- Attempted to use the Bubble API Oauth2 User-Agent Flow.
For the first approach above, I have established the following:
a. On a sign-in/login page, set up a workflow when a user enters their credentials etc. and selects Sign-in. The workflows executes as follows:
- Obtain the domain name from the email address (using Regular Expression etc.).
- Look up in the accounts DB for the domain and if listed, obtain the unique domain (account) ID number. (Note, accounts relate to Microsoft tenants that have my application registered. The accounts have tenant id, client id, secret id etc.)
- Check to see if the user has already established a user account and if so, display an alert. No further workflow action. (User proceeds to login process via login button).
- If the user is a new user, sign in the new user (user DB populated with new user credentials) and formulate a URL call to obtain a user ID code (first step in Oauth2 process)
(Note that I attach to the URL request a state that is the user ID in my application. This enables me to correlate the returned user code to the correct user).
- External URL runs, user logs in and accepts application access to their Microsoft account, the MS tenant then sends a user code to the redirect URL ( in my case https://domain/auth).
- When the redirect URL page opens, I fire a workflow on page load that strips the URL header and obtain the user code and the user ID (state).
- Once I have the user code and user ID, I then initiate an API flow to run that submits the details to the Microsoft tenant and returns an Access Token.
I successfully obtain an access token from the API. At this point, I accept the user as being an authenticated user confirmed from the Microsoft tenant. I want to store the access token with the appropriate user, and then have that user validated as ‘logged in’. With the access token, I can run the MS Graph API to execute the various REST API calls that are needed.
At this point, all the heavy lifting seems to be done. My problem is twofold:
a. I am struggling to save the access token (update thing) to the user DB from the redirect URL page. I am using the Update Thing as follows:
I am identifying the appropriate user in the user DB by aligning the user ID with the ‘state’ value returned with the redirect URL header. I am then trying to write the access code obtained from the API (later set to a ‘Set State’ called auth’s access-token). The access token value will NOT write to the user DB.
b. Once I can confirm authentication with the access token, I want to set the user as the logged-in current user and then direct them to the user main menu page etc. I do not see how to do this other than log in the user under account workflow but it requires that I know the Password etc.
I would be very grateful for any suggestions as I am sure my issue is my lack of Bubble experience and I am so close to completing this part of the application.
Once I have this resolved, I plan to share my solution with the bubble user community for others to use.
Having stated the above, it is a completely manual process and requires a lot of the heavy lifting with my bubble app.
I mentioned above about being aware of the Bubble API with the Oauth2 User-Agent Flow. I have no experience with this at all and the documentation is not that detailed to really figure this out. If this API essentially handles the user sign-in/log-in as well as the oauth2 authentication with a Microsoft tenant (user codes, redirect URL’s, etc.) and results in a user access token being obtain as well as refreshing tokens as necessary (all the heavy lifting) I am totally open to using this but detailed guidance on the set up and use of this API would be also greatly appreciated.