Implementing Authorization in Odata V4 Source API Using Query String Parameters for D365 Virtual Entities
With increasing adoption of Dynamics 365 v 9.0 , Virtual Entity is on of the feature that users would want to leverage for addressing their Integration requirements.
"Odata V4 Data Source" is the out of box data source available that can be tied to the D365 Virtual Entities and these data sources need an Odata V4 Web API. The key question that arises for the developers while using this feature is - Authentication. Though D365 does not give us flexibility to handle various authentication mechanisms it provides us the ability to handle Authorization using Query String Parameters.
You need to have an existing Odata Web API and a Configured Virtual Entity on your Dynamics 365 9.0 System.
If you need help in Odata Web API you can download sample code here and the detailed steps for creating and configuring Virtual entity are available here.
1. Go to your Odata V4 Web API Source code and add a new class "CustomAuthorization.cs" with definition as below. The value of the Key ( i.e. Token ) can be stored in Azure key Vault .
The more complex the authorization rules the more secure the API would be. An additional call to CRM could be made to validate any parameters from a custom configuration Entity.
//Sample Code Snippet
//This namespace to be referenced in the using section of the controller.
//Give any desired name to your class instead of CustomAuthorization to be later used as a header attribute for your controller.
public class CustomAuthorization: AuthorizeAttribute
public override void OnAuthorization(HttpActionContext actionContext)
var queryString = actionContext.Request.GetQueryNameValuePairs().ToDictionary(x => x.Key, x => x.Value);
//This value corresponding to the "token" key cane be stored in Azure Key Vault and retrieved in runtime.
if (queryString["token"].ToString() != "816e49a0-b3f1-4754-b659-e9fe3f34f505")
//Write your custom code here ex:- Trace Logs , Throwing exceptions etc.
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
//Write your custom code here ex:- Logs , Exception handling etc
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
2. Reference this namespace in your controller class and add [CustomAuthorization] i.e. the Class name created above as header to your controller class.
public class EntitiesController : ODataController
3. Build and Run this project to your local and Verify the data from Browser by navigating to your controller.
5. Update Query String Parameters on your Odata V4 Source in D365
6. Go to Advance Find and query your Virtual entity and you should be able to get the desired result.
Note: D365 Also gives us the flexibility to send the Request Parameters through header , Clicking on the Parameter Type would change the type to Header from Query String. And D365 allows us to add up to 10 Request Parameters.