Good news: Microsoft decided to postpone the deprecation of Web Service Access Keys (Basic Authentication) until version 2022 wave 1. See confirmation here: https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/upgrade/deprecated-features-platform#changes-in-2022-release-wave-1-version-200
Originally the plan was to remove basic authentication with version 2021 wave 1. Integrations with Business Central APIs should be using OAuth instead. However, currently it’s only possible to use a user-interactive OAuth flow, the Authorization Code flow. But basic authentication provided a way to call APIs without any user interaction, and that’s how many partners have been using it.
OAuth does support a way to authenticate without any user interaction. That is called the Client Credentials flow, aka service-to-service authentication. This is the best scenario for processes that run in the background without any UI to authenticate against external APIs. Business Central supports this flow for the automation APIs, as I’ve explained here. This should also become available standard APIs. Many partners were eagerly waiting for this because they wanted to switch to OAuth before basic authentication was deprecated.
Now that this has been postponed, partners will have more time to get prepared. There is no information yet when the service-to-service authentication will become available. As far as I know, it’s not for a technical reason that it hasn’t been enabled yet. It’s a matter of licensing. Because those service accounts are created in a different way, they can’t be assigned a Business Central license as you do with normal users. It’s my educated guess that this needs to solved first before we get our hands on it.
Actually, I was preparing for a blog post about implementing the Resource Owner Password Credentials flow. I got it to work, the only user interaction is the AAD App registration in Business Central. However, it does not support Multi Factor Authentication (MFA). Because this OAuth flow is less secure and requires more setup compared to using the web service access key, I think we should stick with basic authentication for the time being. Well, only for background services of course. If you have an integration that has any form of user interaction, then you should implement the authorization code flow!
So, this blog post is completely different then I was planning for and way shorter than my usual blog posts. 😄
Hi Kauffmann,
Do we still able to connect BC 18.0 SaaS APIs with Web Service Access Keys (Basic Authentication)? How? Do we need to change any settings or simply by User ID & Web Service Access Keys?
Thanks
Yes, that is possible until 2022 wave 1.
Hi AJK, do you know if the Client Credentials Flow can already be used for the standard API’s. Currently we experience issues with the authentication however it was no problem to get a token. Our customer has to expose API’s for a third party and we would like to implement this and not wait until Basic Auth is deprecated
Client credentials flow is planned for July according to the documentation: https://docs.microsoft.com/en-us/dynamics365-release-plan/2021wave1/smb/dynamics365-business-central/service-service-authentication
What kind of issues do you have?
Thx for your reply, the issue that we are having now that with testing from Postman we can acquire a token but if we use the token with the API call an authorization error is thrown.
That is correct. But it should work when version 18.3 hits the street.
Does anyone know if Microsoft is still planning to do it in 2022 ? Couldn’t find it on their Deprecated Feature any more ?
Yes, it will happen with version 20: https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/upgrade/deprecated-features-platform#changes-in-2022-release-wave-1-version-200