Ouath2 authentication with Microsoft Azure

I have extensive experience with Micrsoft Power Platform and REST API’s and the Microsoft authentication protocol. I can emulate all of the authentication steps in POSTMAN so my question is more directed to how I need to set up Bubble to execute the authentication.

I have avoided third party plugins as I do not want to expose any of the Microsoft Tenant keys etc. outside of my Bubble app.

I have approached this from two different methods.

  1. Manually setting up users, running API’s to authenticate users and obtain access tokens etc.
  2. Attempted to use the Bubble API Oauth2 User-Agent Flow.

For the first approach above, I have established the following:
a. On a sign-in/login page, set up a workflow when a user enters their credentials etc. and selects Sign-in. The workflows executes as follows:

  1. Obtain the domain name from the email address (using Regular Expression etc.).
  2. Look up in the accounts DB for the domain and if listed, obtain the unique domain (account) ID number. (Note, accounts relate to Microsoft tenants that have my application registered. The accounts have tenant id, client id, secret id etc.)
  3. Check to see if the user has already established a user account and if so, display an alert. No further workflow action. (User proceeds to login process via login button).
  4. If the user is a new user, sign in the new user (user DB populated with new user credentials) and formulate a URL call to obtain a user ID code (first step in Oauth2 process)

(Note that I attach to the URL request a state that is the user ID in my application. This enables me to correlate the returned user code to the correct user).

  1. External URL runs, user logs in and accepts application access to their Microsoft account, the MS tenant then sends a user code to the redirect URL ( in my case https://domain/auth).
  2. When the redirect URL page opens, I fire a workflow on page load that strips the URL header and obtain the user code and the user ID (state).
  3. Once I have the user code and user ID, I then initiate an API flow to run that submits the details to the Microsoft tenant and returns an Access Token.

I successfully obtain an access token from the API. At this point, I accept the user as being an authenticated user confirmed from the Microsoft tenant. I want to store the access token with the appropriate user, and then have that user validated as ‘logged in’. With the access token, I can run the MS Graph API to execute the various REST API calls that are needed.

At this point, all the heavy lifting seems to be done. My problem is twofold:

a. I am struggling to save the access token (update thing) to the user DB from the redirect URL page. I am using the Update Thing as follows:

I am identifying the appropriate user in the user DB by aligning the user ID with the ‘state’ value returned with the redirect URL header. I am then trying to write the access code obtained from the API (later set to a ‘Set State’ called auth’s access-token). The access token value will NOT write to the user DB.

b. Once I can confirm authentication with the access token, I want to set the user as the logged-in current user and then direct them to the user main menu page etc. I do not see how to do this other than log in the user under account workflow but it requires that I know the Password etc.

I would be very grateful for any suggestions as I am sure my issue is my lack of Bubble experience and I am so close to completing this part of the application.

Once I have this resolved, I plan to share my solution with the bubble user community for others to use.

Having stated the above, it is a completely manual process and requires a lot of the heavy lifting with my bubble app.

I mentioned above about being aware of the Bubble API with the Oauth2 User-Agent Flow. I have no experience with this at all and the documentation is not that detailed to really figure this out. If this API essentially handles the user sign-in/log-in as well as the oauth2 authentication with a Microsoft tenant (user codes, redirect URL’s, etc.) and results in a user access token being obtain as well as refreshing tokens as necessary (all the heavy lifting) I am totally open to using this but detailed guidance on the set up and use of this API would be also greatly appreciated.

Thank You.

1 Like

Hello @ricki.boyle welcome to the community!

You are on the right track. The particulars of the problem may be due to the initialization of api calls once you have a token that you can pass to get refresh one or ones.

I have not gone in detail through your well explained post.

So, my suggestion may be way out of “whack” but I will still like to share it to see if it may help.

Consider reading through how this oAuth is put together for a Hubspot integration. It is well explained and could shed some light on some missing step or angle that you may not be considering .

Hope it helps. @ambroisedlg did a heck of a job putting this together! :smiley:

1 Like

Thank you @cmarchan for your reply and assistance. The included reference from ambroisedlg was most helpful and I was able to make some adjustments to more closely emulate the same workflow function.

What I am struggling with now is that when I am running my workflows, capturing the user email address and then doing look ups and to qualify against their Microsoft tenant (Oauth API calls and getting an access token, then MS graph/user API call) as a ‘qualified user’, the workflow is functioning without any ‘logged in’ users. As such, as I attempt to do data searches (building external URL with tenant ids, redirect URL’s etc.) from the DB in the various workflow steps, the searches are coming up empty when running in the live environment. I also are unable to add data to an existing user record. I believe this to be related to the authorized access to the DB (accounts and users) and how privacy rules are set up when there is no logged in user. I will research the forum for a solution for this as I am certain this has been experienced by others, but if someone can direct me to a forum solution that would be greatly appreciated.