Thursday, June 16, 2016

Developing OAuth with Skype Web SDK: admin pre-requisites

This blog post will cover the system-level steps an Office 365 administrator needs to do in order to "turn on" the Skype Web SDK functionality for code being written with OAuth authentication. Some of these steps may sound familiar if you've read the previous post "UCWA 2.0 and Skype for Business online: Create an Azure AD application". What you will need to accomplish this task is the Sign-on URL and Reply URL for the web application that will be using OAuth and Skype Web SDK. If you're unsure of either of these talk with the developer that will be configuring the web application.

Link Azure and Office 365 accounts together

This step is outside the scope of this article, but it is worth noting. This Microsoft reference "Set up your Office 365 and Azure AD tenant" provides more information.

Create an Azure AD application

To start, this step will be a modified version of the directions from Microsoft's page "Registering your application in Azure AD".  Follow the directions from both sections, register your application with Azure AD and configure your app for OAuth implicit grant flow.

After provisioning the application in step 6, be sure to configure the application's Reply URL. This step isn't mentioned in the Microsoft directions. Another modification is at step 9 under registering your application, select as many of the delegated permissions as desired. For example, the permission "Read and manage Skype for Business user contacts and groups" is required to add or edit contacts and groups in the buddy list. At step 10, do not configure your application to be multi-tenant if it doesn't need to be.

After the above steps are completed, some values from the configuration page should be stored for yourself and others. Any developer or application that will be using the Skype Web SDK will need to know the Client ID and have a Key. To generate a Key, select a duration and save the changes. The Key will appear once it is saved.

Tenant admin consent

Microsoft explains this section best, from their reference "Developing Web SDK applications for Skype for Business Online",
The Skype for Business Online permissions are tenant administrator consent only. For an app to be used by all users of an O365 tenant, a tenant administrator must provide consent. To provide consent for all users in the tenant, construct the following URL for your app as shown in the example below.
Note: update the Client ID and Reply URL (redirect URI) for your app.

https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token
    &client_id= ...
    &redirect_uri=https://app.contoso.com/
    &response_mode=form_post
    &resource=https://webdir.online.lync.com
    &prompt=admin_consent

After the admin grants consent for the tenant, Microsoft will attempt to redirect you to the Reply URL. If you enter the wrong Reply URL, after the admin gives consent a Microsoft error page will appear and in the tiny error message at the bottom it will say, the reply address 'your Reply URL' does not match the reply addresses configured for the application: your Client ID. If the web app is not running at that time, you will see a browser "ERR_CONNECTION_REFUSED" error.

References

https://blogs.msdn.microsoft.com/onenotedev/2015/04/30/set-up-your-office-365-and-azure-ad-tenant/#AssociateO365FromAzure

https://msdn.microsoft.com/en-us/library/office/mt592709(v=office.16).aspx

https://msdn.microsoft.com/en-us/skype/websdk/developwebsdkappsforsfbonline

No comments: