Authenticating dynamics CRM plugin to access Web API 2 methods
I have written a plugin in dynamics CRM. This plugin accesses a few Web API 2 methods that are deployed in Azure cloud (via HTTPS). The plug-in is triggered when a contact data in the CRM changes. Many CRM account holders will update the contact data.
I am going to hard code a 'secret key' (a one time generated Guid) in the plug-in and send this key every time I access the web api methods. I'll validate this guid in the web api methods to prevent un-authorized access.
I do not like to store the secret key (guid) in the source code.
Questions
- What are my alternatives if do not want to 'hard code' the secret key?
- What are the security flaws in this approach?
Note
In general, all my Web APIs are authenticated by a custom authentication web api filter, but the Web APIs that are accessed from the plugin are not part of the custom authentication.
CRM version is 2013
As the previous answers states, the first option is to store your information in a configuration custom entity that you can retrieve from your plugin. Those records are going to be protected by the CRM security model, so if your plugin is running in the calling user context you will need to make sure that the users have privileges to read that information (not really a good idea) or change the plugin to be executed under an admin user context.
Another option is to use Secure/Unsecure Configuration:
Those are two (string) parameters that you can configure within the step and you will be able to read them from the plugin. I would say that the secure configuration fits your requirement but give it a look. You can also easily find how to implement it (example).
The third and last option that I can think of, is to create an XML WebResource and read it from the plugin. Again, you will need to make sure that the user context under the plugin is running has access to it.
- Dynamics CRM 2016 on-premises - Javascript Suddenly stopped working
- Using AlexaCRM/dynamics-webapi-toolkit I need to add a filter for a "modifiedon" datetime
- Powershell command to handle a Dynamics 365 Security Role
- How to get a SAML token from ADFS sever to pull data from dynamics CRM on-premises (non-sdk) in c#?
- PHP Connect to Microsoft Dynamics CRM
- Dynamics 2016 email tracking ignoring outgoing replies
- Trigger Plugin when change in specific dropdown in Dynamics 365
- Reach Azure SQL database with dynamic IP addresses
- How to know what InputParameters values are possible in Dynamics CRM Plugin context?
- How to add a column/attribute dynamically by clicking a button in MS Dynamics 365?
- Cannot retrieve selected lookups using the OData endpoint
- Create annotation to a contact entity in Microsoft Dynamics CRM by API
- Reload Form on reload/refresh of subgrid in Dynamics 365 CRM Unified Interface
- D365 ambiguous advice/instructions on on-premises cumulative updates page
- CRM Dynamics workflow not triggering for all records
- Regarding associating web roles to contact from Power Pages Portal
- lookupObject.getValue is not a function
- How to export/import Data from Microsoft Dynamics crm
- Microsoft.Identity.Client getting Error in C#
- Dynamics CRM security role privileges on Email entity
- Call external API to get a file and attach it in Notes
- Deploy CRM solution using Package Deployer as update instead of upgrade
- unable to load CRM organization
- Cannot Open PluginRegistration
- The transaction log for the database is full
- I can not install the pfx file in dynamics 365 plugin project when i get it from source control
- Get Email (V2) in power automate is throwing an "ID is Malformed"
- Power Apps command visibility based on user security role
- How can I create Custom Industry Accelerator on Common Data Service?
- In Microsoft Dynamics 365 CRM what is the major difference in plugins and workflows when both serve the same purpose