Simplifying Authorization: How OAuth 2.0 Makes Access Control Effortless in M-Files Integrations

For a long time, applications have relied on Basic Authentication to enable communication between servers and applications. Basic Authentication is a process in which username and password are exchanged between two communicating endpoints in every request.

However, with 921 password attacks occurring every second, securing communications and protecting passwords has never been more crucial.

From October 1st, 2022, as Microsoft had announced in the preceding quarter, Basic Authentication in Exchange Online is turned off for all tenants.

Basic Authentication is Retiring

So, what does this mean for customers and vendors providing integration services working with Exchange Online?

They must transition from Basic Authentication to Modern, which incorporates OAuth 2.0 token-based authorization.

As the Exchange documentation states, modern authentication presents various benefits and enhancements that address the concerns with basic authentication. For instance, OAuth access tokens have a limited usable lifetime and can only be used for the applications and resources they were granted, making them non-reusable.

Furthermore, implementing and enforcing multifactor authentication (MFA) is straightforward with modern authentication.

Microsoft’s decision is significant not just in their world but also for others. To fully secure a system, every integration should follow best security practices.

What is OAuth 2.0

To understand what OAuth 2.0 protocol is, first we need to take a step back and ensure we understand the difference between authentication and authorization. Authentication verifies the user’s or service’s identity, and authorization determines their access rights. OAuth 2.0 is primarily an authorization framework, and while it can be used for authentication, its main focus is on granting permissions and access to resources rather than verifying the user’s identity. In this way, it differs from protocols like OpenID Connect or SAML, where the goal is to verify user identity first before allowing them to access resources on our behalf (or take actions on our behalf).

The picture below provides an overview of the basic flow of the OAuth 2.0 authorization framework. Let’s clarify each one of these steps:

  1. The user requests access to a protected resource from the client app.
  2. Client app redirects the user to the authorization server.
  3. The user authenticates and grants the authorization request.
  4. The authorization server issues access token to the client app.
  5. The client app uses access token to request protected resource from the resource server.
  6. The resource server verifies access token and provides the resource to the client app.
OAuth framework explanation
Picture 1. OAuth 2.0 Authentication Protocol

Find more details about these steps in the official OAuth 2.0 specification.

OAuth 2.0 and M-Files

Since version 4.2.6, Extension Kit includes support for OAuth 2.0 as an authorization mechanism as part of its HTTP module, thus enabling users to configure enterprise-grade integration scenarios directly in M-Files.

The HTTP module of Extension Kit connects M-Files with other systems without coding. As the name suggests, this module makes HTTP calls to third-party services and updates objects in M-Files with data from these services.

OAuth configuration in HTTP module in Extension Kit
Picture 2. Configuration of OAuth in HTTP Integration module in Extension Kit

Extension Kit users can now easily integrate M-Files with third-party services using the OAuth 2.0 standard.

Other authentication types in Extension Kit for M-Files

Basic

The simplest technique for enforcing access controls to web resources in case your legacy systems only work with this type of authentication. A username and password are sent with every request to authenticate with external services.

Digest

Unlike Basic, when using Digest authentication username and password are not sent with every request, they are hashed using the MD5 hashing algorithm before being sent out.

NTLM

NTLM, shorthand for Windows New Technology LAN Manager, is a suite of security protocols Microsoft offers to authenticate users’ identities.

Kerberos

A protocol for authenticating service requests between trusted hosts across an untrusted network. Kerberos support is built into all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux.

Negotiate

Depending on availability, Negotiate authentication automatically selects between the Kerberos and NTLM authentication.

ApiKey

Many APIs use API keys for authorization. An API key is a token that a client provides when making API calls.

Final thoughts

The old and well-known authentication mechanisms are becoming a thing of the past, and a shift to modern authentication mechanisms like OAuth 2.0 is the way forward.

The OAuth 2.0 protocol is designed explicitly for authorization and allows applications and services to access resources hosted by other services on behalf of users. Compared to Basic Authentication, OAuth 2.0 provides various benefits and improvements, such as limited usable lifetime access tokens and straightforward multifactor authentication implementation.

Extension Kit supports OAuth 2.0, along with other authentication types, making it an ideal solution for implementing secure integrations and following best security practices.

Schedule a consultation

Let’s talk about the ways we can help your business thrive. 

WATCH THE WEBINAR

Introducing AI Document Kit: Add-on for AI-driven Document Management