Business Central : Oauth2 authentication

Question

I'm try to configure integration between Business Central on premise 19.6 with Azure AD.

User authentication work fine

But when I try the configuration for OAuth2 service to service follow the instruction https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/automation-apis-using-s2s-authentication I cannot connect to service.

I get the token from the https://login.microsoftonline.com/ /oauth2/v2.0/token

but when i pass to Business Central api as Berear token I get the error:

"error": {
        "code": "Unknown",
        "message": "IDX10501: Signature validation failed. Unable to match key: \nkid: 'System.String'.\nExceptions caught:\n 'System.Text.StringBuilder'. \ntoken: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.  CorrelationId:  <Guid>."
  }

On the server event viewer I have the error:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="Microsoft-DynamicsNAV-Server" Guid="{85423fd1-c021-5a63-f214-c4819f8809f3}" /> 
  <EventID>216</EventID> 
  <Version>1</Version> 
  <Level>2</Level> 
  <Task>13</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000f00000000001</Keywords> 
  <TimeCreated SystemTime="2022-08-29T16:17:45.774819400Z" /> 
  <EventRecordID>437</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4064" ThreadID="5832" /> 
  <Channel>Microsoft-DynamicsNAV-Server/Admin</Channel> 
  <Computer>The computer FQDN</Computer> 
  <Security UserID="Business Central Service User Id" /> 
  </System>
- <EventData>
  <Data Name="serverInstanceName">BC190</Data> 
  <Data Name="navTenantId" /> 
  <Data Name="environmentName" /> 
  <Data Name="environmentType" /> 
  <Data Name="message">Type: Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException Message: IDX10501: Signature validation failed. Unable to match key: kid: 'System.String'. Exceptions caught: 'System.Text.StringBuilder'. token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'. StackTrace: at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.Dynamics.Nav.Runtime.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics) at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl) at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException, IEnumerable`1 bearerValidationExtensions, String userAadObjectIdToImpersonate) at Microsoft.Dynamics.Nav.Service.OwinAuthenticationHelper.AuthenticateForServiceCall(IOwinRequest request, Func`3 createException, IEnumerable`1 bearerValidationExtensions) at Microsoft.Dynamics.Nav.Service.OData.Extensions.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request) at System.Lazy`1.CreateValue() at System.Lazy`1.LazyInitValue() at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.CreateNavService(NavCancellationToken cancellationToken) at Microsoft.Dynamics.Nav.Service.OData.Modeling.NavODataCachedModelBuilder`2.Build(INavServiceEnvironment serviceEnvironment) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteBuilder.GetEdmModelWithLogging(IServiceProvider serviceProvider) at lambda_method(Closure , ServiceProviderEngineScope ) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request) at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request) at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Web.Http.HttpServer.<SendAsync>d__24.MoveNext() Source: System.IdentityModel.Tokens.Jwt HResult: -2146233088 StackTrace: at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.Dynamics.Nav.Runtime.NavJwtSecurityTokenFactory.CreateAndValidateWithAudienceList(String serializedToken, FederationMetadataProvider federationMetadataProvider, IEnumerable`1 allowedAudiences, String tokenId, NavDiagnostics diagnostics) at Microsoft.Dynamics.Nav.Service.WebServiceBearerAuthenticator.TryAuthenticateUser(String authorizationHeader, Uri requestUrl) at Microsoft.Dynamics.Nav.Service.ServiceAuthenticationHelper.AuthenticateForServiceCall(Uri uri, String authorizationValue, Func`3 createException, IEnumerable`1 bearerValidationExtensions, String userAadObjectIdToImpersonate) at Microsoft.Dynamics.Nav.Service.OwinAuthenticationHelper.AuthenticateForServiceCall(IOwinRequest request, Func`3 createException, IEnumerable`1 bearerValidationExtensions) at Microsoft.Dynamics.Nav.Service.OData.Extensions.HttpRequestMessageExtensions.Authenticate(HttpRequestMessage request) at System.Lazy`1.CreateValue() at System.Lazy`1.LazyInitValue() at Microsoft.Dynamics.Nav.Service.OData.NavServiceEnvironment.CreateNavService(NavCancellationToken cancellationToken) at Microsoft.Dynamics.Nav.Service.OData.Modeling.NavODataCachedModelBuilder`2.Build(INavServiceEnvironment serviceEnvironment) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteBuilder.GetEdmModelWithLogging(IServiceProvider serviceProvider) at lambda_method(Closure , ServiceProviderEngineScope ) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType) at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer, Boolean template) at Microsoft.AspNet.OData.Routing.DefaultODataPathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4PathHandler.Parse(String serviceRoot, String odataPath, IServiceProvider requestContainer) at Microsoft.Dynamics.Nav.Service.OData.V4.NavODataV4RouteConstraint.Match(HttpRequestMessage request, IHttpRoute route, String parameterName, IDictionary`2 values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraint(HttpRequestMessage request, Object constraint, String parameterName, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.ProcessConstraints(HttpRequestMessage request, HttpRouteValueDictionary values, HttpRouteDirection routeDirection) at System.Web.Http.Routing.HttpRoute.GetRouteData(String virtualPathRoot, HttpRequestMessage request) at System.Web.Http.HttpRouteCollection.GetRouteData(HttpRequestMessage request) at System.Web.Http.Dispatcher.HttpRoutingDispatcher.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.DelegatingHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Web.Http.HttpServer.<SendAsync>d__24.MoveNext()</Data> 
  </EventData>
  </Event>

Any idea how to solve or investigate the problem?

Thanks Lorenzo Trento - Italy

Answer 1

Had the same error today.

Finally we managed to solve this issue. We are now able to communicate with BC on Prem. It was a configuration error in our app registration. So first you have to check your requests with postman and solve these errors.

In the app registration under "Expose an API" we had to add a scope "default". Also we had to add this scope under "API Permissions". In BC we had to "grant access" under "Azure Active Directory Applications". In your request you have to set the scope to "api://YOURAPPID/"

The solution was to first make it work with postman. If you try it directly from your application you will get errors which will lead you to wrong assumptions.