We use Azure AD Authentication currently for our Epicor Implementation works great, we are working on a web portal and naturally we wanted to use the same authentication method.
Epicor provides some examples in their help on how to do this using azure-activedirectory-library-for-js
Which works… (kinda) see this library is pretty old and has been deprecated (twice now)
Ultimately being replaced with GitHub - AzureAD/microsoft-authentication-library-for-js: Microsoft Authentication Library (MSAL) for JS
Further more MSAL V1 has been deprecated in favor of MSAL V2
With all that said, I can write a pretty simple app using MSAL V1 that works fine authenticates against Azure (no issue) and the resulting Token can be used with Epicor Standing Ovation
The issue is that this is a deprecated library and an old version with lots of security issues etc also the latest supported version is Angular 6 (currently Angular 12 is out)
When I try to upgrade / change to use MSAL V2 (for Angular 11) everything still works fine (on the Azure side)
However Epicor won’t accept my token, I get one of two errors
“IDX10231: Audience validation failed. Delegate returned false, securitytoken: ‘[PII is hidden]’.”
“IDX10511: Signature validation failed. Keys tried: ‘[PII is hidden]’. \nkid: ‘[PII is hidden]’. \nExceptions caught:\n ‘[PII is hidden]’.\ntoken: ‘[PII is hidden]’.”,
I am using the same ClientID and the Same Tenant everything is exactly the same but Epicor doesn’t like my newly acquired token.
This leads me to believe that maybe Epicor doesn’t support MSAL V2? But I can’t really confirm this because in the grand scheme of things a token is a token and all Epicor has to do is validate the signature which is signed with the same tenant / client so I’m a little lost.
I could use a push (or a kick) in the right direction, I know this is like shouting into the abyss I can probably enumerate in a single hand those who understand all the jibber jabber above enough and also know Epicor’s implementation… I’m looking at your @Olga, @Edge , @bconner , @Dmitry_Kashulin
But if someone has any ideas I’m open to trying things! Maybe I’m missing some scope or something.
The MSAL Example in GitHub above works out of the box if you plug in your ClientID and your Tenant… but again Epicor Rejects that token if anyone wants to play.
And this version (V1) works out of the box too and well it works with Epicor (that is the token is accepted)