Troubleshooting and developing oauth enabled applications with Dynamics 365

2016-12-11 | apurvghai | Dynamics CRM SDK | C#

OAuth applications can be developed using Dynamics 365 Online and OnPremise versions. Let’s see these in more details:




  • The Authorization Server is the v2.0 endpoint. It is responsible for ensuring the user's identity, granting and revoking access to resources, and issuing tokens. It is also known as the identity provider - it securely handles anything to do with the user's information, their access, and the trust relationships between parties in an flow.
  • The Resource Owner is typically the end-user. It is the party that owns the data, and has the power to allow third parties to access that data, or resource.
  • The OAuth Client is your app, identified by its Application Id. It is usually the party that the end-user interacts with, and it requests tokens from the authorization server. The client must be granted permission to access the resource by the resource owner.
  • The Resource Server is where the resource or data resides. It trusts the Authorization Server to securely authenticate and authorize the OAuth Client, and uses Bearer access_tokens to ensure that access to a resource can be granted.

You can read the complete detail on Microsoft Azure Documentation:


Now in our scenario we will register our c# application in azure management portal. Read more to create apps in C#. Let’s go and see how will this work in real time. I will demonstrate this through an image


Let’s dissect to understand the parameter values:

  • Client ID : 32-Digit Guid registered in Azure
  • Resource Url: Fully Qualified Dynamics 365 Url (ex:
  • Oauth Endpoint: Fully Qualified Azure Oauth endpoint url (should be retrieved dynamically). See this post: Sample:<tenantId>/oauth2/authorize?

Passing these to ADAL Library will prompt user with Office 365 Logon page.

You can visit Developer Center to see how to obtain Dynamics 365 Endpoint Urls:

Each function written in ADAL and when used in c# application is an Async function. Which means you will be using Task (System.Threading.Tasks.Task) and if the application fails to connect or authenticate you will receive “Task has been canceled” exception. Then you will need to expand the exception dialog in Visual Studio to see the inner exception.

See example:

Program app = new Program();
 Task.WaitAll(Task.Run(async () => await app.CreateMyReordsAsync())); 

Function definition

 async Task CreateMyReordsAsync()
            WebApiOperationHelper apihelper = new WebApiOperationHelper();
            apihelper.BaseOrganizationApiUrl = "";
            apihelper.ObtainOAuthToken(); //Let's say this step failed.

            if (!(string.IsNullOrEmpty(apihelper.AccessToken)))
            { //Success go }


Let’s see the complete application flow in fiddler

#  Result  Protocol  Host  URL  Body  Caching  Content-Type 
2  200  HTTP  Tunnel to  0     
3  401  HTTPS  /api/data/v8.1  49    text/html 
4  200  HTTP  Tunnel to  0     
5  302  HTTPS  /<tenantid>/oauth2/authorize?<clientid>&response_type=code&redirect_uri=http%3A%2F%2Fgo%2F&client-request-id=4e9ee0d9-516a-455a-9f5d-373eea250208&prompt=login&x-client-SKU=.NET&x-client-Ver=  391  private  text/html; charset=utf-8 
6  200  HTTP  Tunnel to  0     
7  200  HTTPS  /<tenantId>/oauth2/authorize?<clientid>&response_type=code&redirect_uri=http%3A%2F%2Fgo%2F&client-request-id=4e9ee0d9-516a-455a-9f5d-373eea250208&prompt=login&x-client-SKU=.NET&x-client-Ver=  12,572  no-cache, no-store; Expires: -1  text/html; charset=utf-8 
8  200  HTTPS  /common/instrumentation/reportpageload  264  private  application/json; charset=utf-8 
9  200  HTTPS  /common/userrealm/?  237  private  application/json; charset=utf-8 
10  200  HTTP  Tunnel to  0     
11  200  HTTPS  /pull?channel=p_730503133&seq=28&partition=-2&clientid=4b5b6dbc&cb=gayo&idle=320&qp=y&cap=8&pws=fresh&isq=9879&msgs_recv=28&uid=730503133&viewer_uid=730503133&sticky_token=4&sticky_pool=ash3c07_chat-proxy  28  private, no-store, no-cache, must-revalidate  application/json 
12  302  HTTPS  /<tenantid>/login  741  no-cache, no-store; Expires: -1  text/html; charset=utf-8 
13  200  HTTP  Tunnel to  0     
14  200  HTTPS  /<tenantid>/oauth2/token  3,148  no-cache, no-store; Expires: -1  application/json; charset=utf-8 
15  200  HTTP  Tunnel to  0     
16  200  HTTPS  /api/data/v8.1/contacts?$select=firstname&$filter=contains(firstname,'Peter')  124  no-cache; Expires: -1  application/json; odata.metadata=minimal 

 Let’s double click Frame 3#

GET<ClientID/oauth2/authorize?<ClientId>&response_type=code&redirect_uri=http%3A%2F%2Fgo%2F&client-request-id=4e9ee0d9-516a-455a-9f5d-373eea250208&prompt=login&x-client-SKU=.NET&x-client-Ver= HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0) Host: Connection: Keep-Alive

This is the request sent to universal online URL. When we go and see the result in Fame 14#, see the response:

HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.5 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff client-request-id: 4e9ee0d9-516a-455a-9f5d-373eea250208 x-ms-request-id: 4178e998-36e1-4dd7-ab56-8ebd0936904a P3P: CP=”DSP CUR OTPi IND OTRi ONL FIN” Set-Cookie: esctx=AQABAAAAAADRNYRQ3dhRSrm-4K-adpCJdtApztEfq-GRTdvfueyNhBbkavXHFfnJCcP7lrKEtfnxxYThlX9R_wwMC_36VsfpmQe2a-K8OoAeJfc0EfP1o2SRDXwCPkmzHMDp5pU7XnFBDyupj7pXj2YSavw-coII5LgmagCSKlZCPG_ZBiygejDCDTdzsbtBG0tv1QXNnikgAA;; path=/; secure; HttpOnly Set-Cookie: x-ms-gateway-slice=006; path=/; secure; HttpOnly Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly X-Powered-By: ASP.NET Date: Sun, 11 Dec 2016 16:12:57 GMT Content-Length: 3148

{“token_type”:”Bearer”,”scope”:”user_impersonation”,”expires_in”:”3599”,”ext_expires_in”:”10800”,”expires_on”:”1481476378”,”not_before”:”1481472478”,”resource”:””,”access_token”:”<json response.>”}

If there was an error, you would have seen an error message in Json format thrown by Azure. Let’s decrypt your Json token to understand what does that mean; Copy the value and go to (Third-Party Website). You will see the following content when you decrypt the token: { typ: "JWT", alg: "RS256", x5t: "RrQqu9rydBVRWmcocuXUb20HGRM", kid: "RrQqu9rydBVRWmcocuXUb20HGRM" }. { aud: "", iss: "<ClientId>/", iat: 1481472478, nbf: 1481472478, exp: 1481476378, acr: "1", amr: [ "pwd" ], appid: "<<ClientId >>", appidacr: "0", e_exp: 10800, family_name: "Ghai", given_name: "Apurv", ipaddr: "", name: "Apurv Ghai", oid: "99914ea0-1e03-4850-a963-8f240a87d152", platf: "14", puid: "1003BFFD97A8CE14", scp: "user_impersonation", sub: "tzNxkMSUdSHCNt29AQg3adxxQTkhE7-wXc6woLesVnY", tid: "1b69ec75-fc81-4af1-af57-e567d6ed7383", unique_name: "", upn: "", ver: "1.0", wids: [ "62e90394-69f5-4237-9190-012177145e10" ] }. [signature] This json format confirms the credentials of the logged on user. This way you can really understand what’s going on with your application. Further now, this token will be used to make webapi requests in Dynamics 365,

# Result Protocol Host URL Body Caching Content-Type Process Comments Custom
16 200 HTTPS /api/data/v8.1/contacts?$select=firstname&$filter=contains(firstname,'Peter') 124 no-cache; Expires: -1 application/json; odata.metadata=minimal crm_sdk_samples:7448

In Frame 16#, you see that we are doing API Call to Dynamics 365. Here’s the header format:

GET$select=firstname&$filter=contains(firstname,’Peter’) HTTP/1.1 Authorization: Bearer <encrypted part removed> Accept: application/json OData-MaxVersion: 4.0 OData-Version: 4.0 Cache-Control: no-cache Host:

Let’s map this request with the piece of code:

public async Task SearchExistingRecord(string entityName, string filter)
            httpClient = CreateDynHttpClient(AccessToken, entityName);
            string completedFilterCondition = BaseOrganizationApiUrl + "/api/data/v8.1/" + entityName + filter;
            var response = await httpClient.GetAsync(completedFilterCondition);
            if (response.StatusCode == HttpStatusCode.OK)
                var content = await response.Content.ReadAsStringAsync();
                var objParsedContent = JsonConvert.DeserializeObject(content);

                // Do something with response. Example get content:
                Console.WriteLine("Records Found");
                //Dispose the Object :: Best Practice

if you see the highlighted portion after creating the HttpClient we are passing the access token to be sent to every request going to Dynamics 365. Here’s the completed response to this request: HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/json; odata.metadata=minimal Expires: -1 Server: Microsoft-IIS/8.5 REQ_ID: 38e4f5e9-7fd8-4ac6-822f-9631519f08d5 OData-Version: 4.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Sun, 11 Dec 2016 16:12:58 GMT Content-Length: 124 Set-Cookie: crmf5cookie=!x8uRQEWsVflwvJeyl31zE1vVQ1hrKpIoEAcC4gh9O0uumcDINf2R/MfwM5l2UsVA7AVQX3hQVwkwNNk=;secure; path=/ Strict-Transport-Security: max-age=31536000; includeSubDomains

{ “@odata.context”:”$metadata#contacts(firstname)”,”value”:[

] } </code> Basically, there was no data found with that criteria specified as first name = Peter.

Hope you’ve enjoyed reading this.

Happy WebAPI’ing


Apurv :)


Recent Posts
Getting started with Dynamics 365 CRM SDK in C#
Jan 14, 19 | Dynamics CRM SDK
Using Postman with Dynamics 365 Online and OnPremise
Jan 14, 19 | Dynamics CRM SDK
Getting Started with WebAPI
Dec 28, 18 | Dynamics CRM SDK