Deprecation of Basic Auth for SaaS has been postponed to 2022

7 Jan

Good news: Microsoft decided to postpone the deprecation of Web Service Access Keys (Basic Authentication) until version 2022 wave 1. See confirmation here:

Originally the plan was to remove basic authentication with version 2021 wave 1. Integrations with Business Central APIs should be using OAuth instead. However, currently it’s only possible to use a user-interactive OAuth flow, the Authorization Code flow. But basic authentication provided a way to call APIs without any user interaction, and that’s how many partners have been using it.

OAuth does support a way to authenticate without any user interaction. That is called the Client Credentials flow, aka service-to-service authentication. This is the best scenario for processes that run in the background without any UI to authenticate against external APIs. Business Central supports this flow for the automation APIs, as I’ve explained here. This should also become available standard APIs. Many partners were eagerly waiting for this because they wanted to switch to OAuth before basic authentication was deprecated.

Now that this has been postponed, partners will have more time to get prepared. There is no information yet when the service-to-service authentication will become available. As far as I know, it’s not for a technical reason that it hasn’t been enabled yet. It’s a matter of licensing. Because those service accounts are created in a different way, they can’t be assigned a Business Central license as you do with normal users. It’s my educated guess that this needs to solved first before we get our hands on it.

Actually, I was preparing for a blog post about implementing the Resource Owner Password Credentials flow. I got it to work, the only user interaction is the AAD App registration in Business Central. However, it does not support Multi Factor Authentication (MFA). Because this OAuth flow is less secure and requires more setup compared to using the web service access key, I think we should stick with basic authentication for the time being. Well, only for background services of course. If you have an integration that has any form of user interaction, then you should implement the authorization code flow!

So, this blog post is completely different then I was planning for and way shorter than my usual blog posts. 😄

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.