Article published on the 23rd of August, 2024.
Contents
1. Introduction
Sometimes when calling an HTTP endpoint, you need to provide credentials. There are many ways of providing credentials, and in this article we will cover how to configure OAuth credentials which can be used e.g., when calling a Power Automate flow from e.g., a WorkPoint Automate process.
This process involves first creating an App Registration in Entra ID, creating a secret that we can use for the credential, provide the necessary permissions for the App Registration, and then configure the credential in the WorkPoint administration.
2. Creating an App Registration
In this section, we will take care of everything related to setting up the app registration.
We begin in the Microsoft Entra admin center:
- In the Microsoft Entra admin center, expand the "Applications" section and select "App registrations".
- In the command bar, click "New registration".
- Provide a name for the app registration. Preferably, name your app registration something telling about what it is used for.
- In the "Supported account types" section, select the option suitable for your situation. If this app registration is to be used on a single tenant, select the first option.
- Click the "Register" button.
The App Registration is now created, and you are redirected to it's overview page:
- In the overview page, copy and save the "Application (client) ID" value to a notepad document or similar. We are going to need this later.
- Now click "Certificates and secrets".
- In the Certificates and secrets page, click "New client secret".
- Provide a name and expiration option for the new secret.
- Click the "Add" button.
- When the secret is created, click the copy-button for the secret value. This is important, and you cannot do this later. Save it along with the Application (client) ID.
- Next, click "API permissions".
- in the command bar on the API permissions page, click "Add a permission".
- In the side panel, select the "Power Automate" option.
- In the side panel, select the "Access Microsoft Flow as signed in user" permission.
- Click "Add permissions".
- Next, in the API permissions page, click "Grant admin consent for [tenant name]".
- In the confirmation dialog, click "Yes".
A confirmation message should now indicate that the consent have been successfully granted:
Next, we need to make a note of our Tenant ID, which we can find by going to the overview page:
- In the left side menu, click "Overview".
- Click the "Copy" button for the Tenant ID and save it along with the Application (client) ID and the secret.
3. Configuring an OAuth credential in WorkPoint
At this point, you should have the following information saved and ready:
- An Application (client) Id for your app registration.
- A secret value for your app registration.
- Your Tenant ID.
With this information, we can now configure an OAuth credential in the HTTP Library in the WorkPoint administration:
- In the HTTP Endpoint Library, select the OAuth option and click the "Add" button as shown.
This opens the New Credential form:
We need to fill the form accordingly:
Field | Description | Example |
---|---|---|
Title | A title for the credential. This is shown in the HTTP Endpoint Library overview, and when selecting a credential to use for a HTTP endpoint configuration. | OAuthCredential |
Credential Type | The type of credential being configured. In this instance we need to select "Secret". | N/A |
Authority | The Authority is the endpoint in Entra ID where the OAuth2 token is requested. It follows this format: "https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token". Remember to substitute your Tenant ID into the URL. | https://login.microsoftonline.com/d7f50f90-fe2c-4160-ab90-080bda8eab8a/oauth2/v2.0/token |
Audience | The Audience (also known as the resource) indicates the intended recipient of the token. It defines the API that the token will be used to access. For calling Power Automate flows, the correct audience is typically "https://service.flow.microsoft.com/". |
https://service.flow.microsoft.com/ |
Client ID | This is the Application (client) Id which we saved earlier. Simply paste the value into the field. | c65a6c1b-b6a9-4d64-b328-08c391d56d4e |
Tenant | This is the Tenant ID which we saved earlier. Simply paste the value into the field. | d7f50f90-fe2c-4160-ab90-080bda8eab8a |
Scope | The Scope defines the permissions that your application is requesting on behalf of the user. In this instance, the scope "https://service.flow.microsoft.com//.default" requests the default permissions that have been granted to our application for the Power Automate service. |
https://service.flow.microsoft.com//.default |
Secret | This is the secret that we created for the app registration. Simply paste the value into the field. | ~Q61Q~SÆ6hvXeDdMziPCDEibykSblMYXxrWzKcIa |
In the end, we should have a configuration that looks something like this:
- To test the credential, we can click the "Test" button. The page should display a "Valid" message:
- We can now save the credential by clicking the "Add" button.
The new credential should now appear in the HTTP Endpoint Library:
4. Using the OAuth credential to run a Power Automate flow
For demonstration purposes, we have created a Power Automate flow where we can provide a user's e-mail address. The Power Automate flow will then return the user's department as a string and their manager as an object containing various relevant metadata.
An outline of the flow is shown in the following image:
We need to make a note of the HTTP URL shown in the left side panel, as we need that for setting up the HTTP endpoint in WorkPoint.
- In the HTTP Endpoint Library, we can add a new endpoint configuration by clicking "Add".
We will not go through the process of how to set up an HTTP endpoint in this article. Please visit this article for more information.
In this instance, we have set up our endpoint as shown in the following image:
Note that we have used the HTTP URL from the Power Automate flow as Url for the endpoint configuration, and we have used the previously configured credential in the "Credential" field of the configuration.
With this configuration, we can now try and insert the e-mail address of a user on our tenant:
We can then perform a test of the endpoint using the entered e-mail address:
- To perform the test, we click the "Test" button.
This produces the following result:
- If we hadn't already done so, we can generate the schema for the endpoint automatically by clicking the "Autogenerate from test" button, which produces the following result:
We can now Save the endpoint and start using it in a WorkPoint Automate process.
5. Using the endpoint in a WorkPoint Automate process
With the endpoint configured, we can now start using it in a WorkPoint Automate process.
For demonstration purposes, we have created a new process with a "Send HTTP request" step:
Note that we have renamed the Send HTTP request step to "Get user department and manager".
In the "Endpoint" field, we have selected the "Get department and manager" endpoint we just configured. We also note that the "userEmail" parameter from our endpoint configuration is available, and in it, we pass the current user's e-mail address.
In this instance, that means that when a given user runs the process, this step will send their e-mail address to the endpoint. The endpoint will process our request, and return the user's department as a string, and their manager as a user object.
We h ave also added a custom form to display the information returned by the Power Automate flow:
In the custom form, we have inserted a Text field which displays the department returned by the Power Automate flow (using the "GetDepartmentAndManager.department" string from the process context), and a user field displaying the current user's manager (using the "GetDepartmentAndManager.manager" object from the process context).
The result when running the process should be something like this:
In this demonstration, we can see that the user running the process in the "Engineering" department, and their manager is "Miriam Graham".
Comments
0 comments
Please sign in to leave a comment.