Azure AD Authentication (REST via JavaScript / Angular)

We use Azure AD Authentication currently for our Epicor Implementation works great, we are working on a web portal and naturally we wanted to use the same authentication method.

Epicor provides some examples in their help on how to do this using azure-activedirectory-library-for-js

Which works… (kinda) see this library is pretty old and has been deprecated (twice now)

Ultimately being replaced with GitHub - AzureAD/microsoft-authentication-library-for-js: Microsoft Authentication Library (MSAL) for JS

Further more MSAL V1 has been deprecated in favor of MSAL V2

With all that said, I can write a pretty simple app using MSAL V1 that works fine authenticates against Azure (no issue) and the resulting Token can be used with Epicor Standing Ovation

The issue is that this is a deprecated library and an old version with lots of security issues etc also the latest supported version is Angular 6 (currently Angular 12 is out)

When I try to upgrade / change to use MSAL V2 (for Angular 11) everything still works fine (on the Azure side)

However Epicor won’t accept my token, I get one of two errors
“IDX10231: Audience validation failed. Delegate returned false, securitytoken: ‘[PII is hidden]’.”

“IDX10511: Signature validation failed. Keys tried: ‘[PII is hidden]’. \nkid: ‘[PII is hidden]’. \nExceptions caught:\n ‘[PII is hidden]’.\ntoken: ‘[PII is hidden]’.”,

I am using the same ClientID and the Same Tenant everything is exactly the same but Epicor doesn’t like my newly acquired token.

This leads me to believe that maybe Epicor doesn’t support MSAL V2? But I can’t really confirm this because in the grand scheme of things a token is a token and all Epicor has to do is validate the signature which is signed with the same tenant / client so I’m a little lost.

I could use a push (or a kick) in the right direction, I know this is like shouting into the abyss I can probably enumerate in a single hand those who understand all the jibber jabber above enough and also know Epicor’s implementation… I’m looking at your @Olga, @Edge , @bconner , @Dmitry_Kashulin :stuck_out_tongue:

But if someone has any ideas I’m open to trying things! Maybe I’m missing some scope or something.

The MSAL Example in GitHub above works out of the box if you plug in your ClientID and your Tenant… but again Epicor Rejects that token if anyone wants to play.

And this version (V1) works out of the box too and well it works with Epicor (that is the token is accepted)


1 Like

I am working on it now :slight_smile: so ERP will use MSAL in the vNext :).

Also I checked that current AAD settings should work almost as it is with MSAL as well. So the question is what are you specifing as audience and scope. You should use <web app id>/user_impersonation as scope, if you named scope as user_impersonation as it is recommended.

1 Like

Great news!!

heck no I don’t follow directions (you should know that by now lol #Sorry :zipper_mouth_face:)
I named it

I’m guessing /ERP102500UserAuth is what I should be using for scope then?

You can, but you better rename it, becase we will expect user_impersonation next version

On it!

1 Like

and scope should look like
const tokenRequestErp = {
scopes: [“ef70594b-562a-4066-888e-48c811776aab/user_impersonation”] //,
where ef70594b-562a-4066-888e-48c811776aab is my WebAppID


Thank you! You are the best as always!!
cc: @Patrick.Ferrington, @Edge she really is! Keep her happy for all our sakes!!! :heart_eyes:

I’ll report back after I’ve and changed my scope to comply


Scope Did the trick!


Not Gonna Lie, This SSO through Azure AD right on the web app is pretty damn sexy