OAuth library for the Rest Client

ajkauffmannBusiness Central3 weeks ago42 Views

You may be familiar with the Rest Client module in the System App of Business Central. If not, I recommend watching this webinar from Areopa where I explain how it works. Or this video from BC Techdays 2024, where I introduced the Rest Client. During that session at BC Techdays, I also mentioned a new module that was under construction: Endpoint/OAuth management. This module is now ready and available as a repo on GitHub.

Currently, the module has not been submitted to the System App. The reason is that the Rest Client already supports OAuth authentication for the client credentials flow (also known as service-to-service authentication). The codeunit implementing this utilizes the OAuth2 module. Have you ever seen the OAuth2 module? It has 57 functions, of which 18 are marked as obsolete. The remaining functions are heavily overloaded, like 8 or more times. It’s like a rabbit hole, with little guidance on which function to use in a given situation. The implementation codeunit utilizes .NET components for the actual calls to the Azure token endpoints, which doesn’t help in understanding how the code exactly works.

The OAuth library I’m introducing now uses no .NET components. It’s entirely written in AL code, including all calls to the token endpoints. For which it uses the Rest Client as well, no surprise… Adding this module to the System App could potentially result in a conversation with Microsoft if they want this, as the approach is different. Of course, I will initiate that conversation and see if we can add this into the next major version (v28). However, if you need this module today (and some of you are waiting for it, I know), it is available on GitHub.

The code can be found here: https://github.com/ajkauffmann/RestClientOAuth

Just clone the repo, read the documentation, and get started. A few comments about the repository:

The object IDs are in the PTE range. Feel free to change them to any range that fits you.
All objects are suffixed with KFM. Feel free to change the suffix to anything you like. However, ensure that you have a prefix or suffix to avoid conflicts if this module becomes part of the System App.
The code is licensed under the MIT license, which essentially means you are free to copy, modify, and use it, all without charge.
If you have any suggestions or encounter a bug, please let me know! Contributions are welcome!
All code is handcrafted. I didn’t use AI at all for writing the code.
On the other hand, the documentation has been entirely generated by GPT-5. This took some time, but it was a worthwhile experiment, and I learned that having structured code helps AI significantly to understand the purpose.

Since the documentation is in the repository, I won’t repeat it here. This is what you can expect from the module:

Support for both Authorization Code Grant flow and Client Credentials flow.
Support for secrets and certificates.
Using certificates is made as easy as possible with a page where you can generate and download a certificate to be used in the Entra app registration.
For the Authorization Code Grant flow, the token is automatically refreshed when it expires. No new login is required in that case.
For the Client Credentials flow, a new token is acquired if the existing token expires.
Access tokens are only kept in memory. When the Rest Client instance, initialized with the OAuth module, goes out of scope, the existing access tokens will be disposed.
Extra security measures have been implemented to prevent CSRF attacks, utilizing PKCE and state parameters.
Option to use a self-hosted OAuth landing page that is more advanced than the built-in landing page.
Fully supports Azure Entra ID.
Extensibility for adding other authorities.
Endpoint management for configuring all OAuth settings rather than hard-coding them.

Here is a screenshot of the Http Endpoint configuration page:

At Directions EMEA 2025 in November, in Poznań, Poland, I will be presenting a session on OAuth. Of course, I will then also discuss this module. If you want to know more about OAuth, make sure to be there!