locked
MS CRM 2013 Online web services authentication from iframe and impersonation RRS feed

  • Question

  • We have an ASP.NET MVC 4 application that runs inside an iframe in MS CRM 2013. The web application uses the MS CRM web services (Organization web service) to retrieve and save data. To do so, it needs to authenticate. For on-premises we are using windows authentication and impersonate with the currently logged user in MS CRM (user id is passed to the iframe URL). It works like a charm.

    How can we achieve this in MS CRM 2013 Online? Impersonation itself should not be a problem but how can our application authenticate to the MS CRM web services on the first place? Multiple MS CRM customers may use our application, so configuration from our customers' point of view should not be too hard (actually it should be as simple as possible). 

    EDIT:

    To share the development of the question:

    As pointed out by Scott Durow in another forum (thanks Scott!) one solution would be the user to provide credentials of a MS CRM user with ActOnBehalf privilege and these credentials to be securely stored by our application. Impersonation is done the same way as described above. Scott suggested that it will be more secure if we use OAuth and it is so indeed. So my question now is:

    Let's say we go for the OAuth approach. In our case the user is already logged in to MS CRM Online because he/she is opening our application in an iframe within MS CRM. Will the user still be asked for credentials or he/she will be immediately redirected back to our application with the token because he/she is already logged in? It will not be practical if the user is asked for credentials again. Our goal is to simplify user experience as much as possible and avoid prompting for credentials and/or storing these credentials.

    Thanks in advance!

    • Edited by Enoch Wallace Friday, April 4, 2014 12:17 PM question development
    Thursday, April 3, 2014 7:43 PM