The authentication flow for the client credentials grant exchanges client credentials for the access token at the location specified by the TokenURI. Web-based login and consent are not required.

Note: For the client credentials grant, you must create an application user on your Dynamics 365 web instance. See Create an application user for the client credentials grant for details.

To configure the driver to use a client credentials grant:

  • Set the ServiceURL property to the base URL of the Dynamics 365 instance to which you want to issue requests. For example, https://mywebinstance.api.crm.dynamics.com/api/data/v9.1/.
  • Set the AuthenticationMethod property to OAuth2. Since OAuth2 is the default, this value does not have to be specified in a connection URL used for OAuth 2.0 implementations.
  • Set the ClientID property to specify the client ID key for your application.
  • Set the ClientSecret property to specify client secret for your application.
    Important: The client secret is a confidential value used to authenticate the application to the server. To prevent unauthorized access, this value must be securely maintained.
  • Set the TokenURI property. The value of the TokenURI property must begin with the POST command followed by the token URI or the endpoint used to exchange authentication credentials for access tokens. For example:

    TokenURI=POST https://login.microsoftonline.com/common/oauth2/v2.0/token

  • Set the Scope property when using the Microsoft Identity Platform (v2) to provision users and manage application access. Scope specifies an OAuth scope or a space-separated list of OAuth scopes that limit the permissions granted by an access token. The following example shows the scope for a Dynamics CRM instance.

    Scope=https://mywebinstance.api.crm.dynamics.com/.default

    Note: The /.default scope is embedded in every application. It refers to a static list of permissions configured on the application registration. Refer to Microsoft Identity Platform documentation for further details.

The following examples show the connection information required to establish a session using the client credentials grant.

Connection URL

Connection conn = DriverManager.getConnection
  ("jdbc:datadirect:dynamics365:
    ServiceURL=https://mycompany.365.dynamics.net/api/data/;
    AuthenticationMethod=OAuth2;ClientID=29453d6f-6789-25gh-gd8g-44tk3c527831;
    ClientID=29453d6f-6789-25gh-gd8g-44tk3c527831;
    ClientSecret=12a3=bCD/EfGh4Ijk+Lm5P67qR8s=//TuV+WXy1Zabcd;
    TokenURI=POST https://login.microsoftonline.com/common/oauth2/v2.0/token;
    Scope=https://mywebinstance.api.crm.dynamics.com/.default;");

Data Source

Dynamics365DataSource mds = new Dynamics365DataSource();
mds.setDescription("My Dynamics 365 Data Source");
mds.setServiceURL("http://mycompany.365.dynamics.net/api/data/");
mds.AuthenticationMethod("OAuth2");
mds.ClientID("29453d6f-6789-25gh-gd8g-44tk3c527831");
mds.ClientSecret("12a3=bCD/EfGh4Ijk+Lm5P67qR8s=//TuV+WXy1Zabcd");
mds.TokenURI("POST https://login.microsoftonline.com/common/oauth2/v2.0/token");
mds.Scope("https://mywebinstance.api.crm.dynamics.com/.default");