Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Work 3.2
  3. Configuring Office 365 Modern Authentication for BlackBerry Dynamics Apps
  4. Troubleshooting
  5. How data flows when BlackBerry Work uses Office 365 modern authentication

How data flows when 
BlackBerry Work
 uses 
Office 365
 modern authentication

Modern authentication simplifies authentication for developers by providing identity as a service (IaaS), with support for industry-standard protocols such as OAuth 2.0. Any app that wants to outsource authentication to 
Azure
 Active Directory must first be registered in 
Azure
 AD, which registers and uniquely identifies the app in the directory, with an app ID. 
Azure
 AD is responsible for verifying the identity of users and apps that exist in an organization’s directory, and then issuing security tokens for these users and apps after successful authentication. When using the Azure Active Directory Authentication Libraries (ADAL), much of the flow is handled for the developer. When troubleshooting an issue, it is helpful to understand the flow of data so you can focus on the point where the data flow breaks.
  1. Using a browser pop-up, the 
    BlackBerry Work
     app makes a request to the authorization endpoint in 
    Azure
     AD. This request includes the app ID, the redirect URI of the 
    BlackBerry Work
     app (as shown in the 
    Azure
     Portal), and the app ID URI for the web API. If the user hasn’t already signed in, they are prompted to sign in again.
  2. Azure
     AD authenticates the 
    BlackBerry Work
     user and the user will be required to consent if they haven’t already done so. After granting consent and upon successful authentication, 
    Azure
     AD issues an authorization code response back to the redirect URI used by 
    BlackBerry Work
    .
  3. When 
    Azure
     AD issues an authorization code response back to the redirect URI, the 
    BlackBerry Work
     app stops browser interaction and extracts the authorization code from the response. Using this authorization code, the 
    BlackBerry Work
     app sends a request to the 
    Azure
     AD token endpoint that includes the authorization code, details about the 
    BlackBerry Work
     app (app ID and redirect URI), and the desired resource (app ID URI for the web API).
  4. The authorization code and information about the 
    BlackBerry Work
     app and web API are validated by 
    Azure
     AD. After successful validation, 
    Azure
     AD returns two tokens: a JWT access token and a JWT refresh token. In addition, 
    Azure
     AD returns basic information about the user, such as their display name and tenant ID.
  5. Over HTTPS, the 
    BlackBerry Work
     app uses the returned JWT access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the web API. The web API then validates the JWT token and, if validation is successful, returns the desired resource.
  6. When the access token expires, the 
    BlackBerry Work
     app will receive an error that indicates that the user needs to authenticate again. If the 
    BlackBerry Work
     app has a valid refresh token, it can be used to acquire a new access token without prompting the user to sign in again. If the refresh token expires, the 
    BlackBerry Work
     app will need to interactively authenticate the user once again.