Using the Client Credentials Grant with the Gravity Forms Dynamics Add-On
By default the Gravity Forms Dynamics Add-On for WordPress uses the "Authorization Code" OAuth grant type because it's secure, easy to setup for the user, and only requires the user to login to their Office 365/Azure AD tenant with an account that already has Dynamics access.
However, one of the downsides of this grant type is that the oauth tokens obtained from Azure AD can and do expire. The plugin will try to refresh them, but can only do so out to a maximum of 90 days (a Microsoft imposed limit) before the user will be required to re-authenticate. This can potentially cause issues with the plugin getting "disconnected" which could cause entries to not make it Dynamics while the plugin is in a "disconnected" state.
The plugin also supports the "Resource Owner(Password)" OAuth grant type, which can be used to mitigate the plugin disconnect issues by entering the credentials directly in the plugin settings page. The benefit is this avoids the expiring access token issue, but the downside is that if the user password changes, it must also be changed in the plugin settings. Additionally, it still requires a user with a Dynamics license assigned.
The "Client Credentials" OAuth grant type is designed for "server-to-server" scenarios and is now supported in the plugin.
Using Client Credentials for authentication with Dynamics CRM 365 Online will resolve this issue of using user credentials which constantly change and require a Dynamics CRM 365 Online license. Client Credentials are made up of a client id and client secret which first need to be setup and generated in Microsoft Azure.
Here are the steps to authenticate using the Client Credentials OAuth grant type.
Create a new App Registration in Azure Active Directory
-
Log into https://portal.azure.com, navigate to Microsoft Entra ID -> App registrations and click on New registration.
- Create the new App registration with a name of "Gravity Forms Dynamics Add-On" and the defaults for the remaining settings and click Register.
- Grant permissions to the new App Registration by navigating to Manage > API permissions. Click on Add a permission.
- In the dialog that appears, under the Microsoft APIs tab of Commonly used Microsoft APIs, click Dynamics CRM.
- Select the following permissions and then click Add permissions.
- Dynamics CRM should now be added to the list of API permissions.
- Copy the newly created Application ID (client ID) by visiting the Overview screen and click the "Copy to clipboard" icon next to the Application (client) ID.
Note: Save this to a text file as this will be needed later when configuring the plugin. - Setup a client secret key by navigating to Overview > Client credentials and click "Add a certificate or secret."
- On the Certificates & secrets screen, under Client secrets, click New client secret
- In the dialog that appears, enter "2YearKey" for the Description and select "24 months" for the Expires option (24 months is the maximum).
- On the next screen, click the "Copy to clipboard" icon to copy the newly generated client secret.
Note: Save this to the same text file where you saved the copied Application (client) ID. Be sure you have copied it and saved it before leaving the screen since it will not be shown again when you navigate to the Certificates & secrets list.
Now that the Azure AD App Registration is created, we need to create a new unlicensed "Application User" in Dynamics and map it to our newly created Azure AD app registration.
Create a new Dynamics 365 Application User
- Sign in to the Power Platform admin center as a System Administrator.
-
Select Environments, and then select an environment from the list.
-
Select Settings.
-
Select Users + permissions, and then select Application users.
- Click New app user to open the Create a new app user page.
- Click Add an app to choose the Azure AD app registration we created at the beginning and then click Add.
-
The selected Azure AD app is displayed under App. You can select Edit to choose another Azure AD application. Under Business Unit, select a business unit from the dropdown list.
-
After choosing a business unit, you can click the pencil icon for Security roles to choose security roles for the chosen business unit to add to the new application user. After adding security roles, select Save.
-
Finally, click Create to finish creating the new application user.
Now, that we have our Azure AD app registration setup and our Application User mapped, we can now configure the Gravity Forms Dynamics Add On to use the "Client Credentials" OAuth grant type in WordPress.
- First, navigate to Forms > Settings > Dynamics CRM.
- On the next screen, select the "Client Credentials" option under OAuth 2.0 Grant Type. When the screen reloads, paste your Azure AD App Registration ID in the "Client ID" box and your the client secret you copied earlier in the "Client Secret" box and scroll down and click Save Settings.
The plugin is now configured to use your Azure AD App Registration for all communication with Dynamics instead of a named user.