BlackBerry Spark Communications Services Guide

Azure Active Directory as your Identity Provider

BlackBerry Spark Communications Services can authenticate a user with Azure Active Directory. If your users already sign in to your application using Azure Active Directory, you can easily configure the SDK to use it as your application's identity provider.

Authenticating

Azure Active Directory supports JSON Web Tokens (JWT). Your application needs to pass the JWT access token along with the user ID to the SDK so that the user is authenticated against your Azure Active Directory. Your application can parse the JWT access token returned from the Azure authentication service to get the Active Directory user ID and other information.

In Microsoft Azure, each access token must be used for a specific resource. The scope parameter sent in the authentication request can contain multiple permissions, but all the permissions must be for the same resource.

Configuring Azure

First, register an application with a Scope defining the permission to use Spark Communications Services. This allows the BlackBerry Infrastructure to validate the access token that your application receives from the Azure Active Directory authentication service.

Add your Application

From the Azure Application Registration Portal, click on New registration.

After you've created your application in Azure, make note of the Application Id. It will be needed for the other steps.

Find Azure Application ID

Create the Application Scope

First, click Add an Application ID URI link.

Add the Application ID URI in Azure

Click the Add Scope button to add an authorization scope that will be used by the BlackBerry Infrastructure to verify the Azure access tokens that your application passes to it.

Add a Scope

Configure the Application ID URI

Save and continue with the default Application ID URI, which should have been automatically filled in with api:// followed by your Application ID.

Add the Application ID URI in Azure

After saving the Application ID URI, set the scope name in the first field to Messaging.All and allow both Admins and users to consent. Provide the required description strings and click Add scope.

Add the Scope

Authorize your Application

App overview

From the Overview page, access the API Permissions section and click Add a permission. A Request API permissions window will appear.

Pre-authorize your Azure Application

Search for your Application name and select the Messaging.All permission and add the permission.

Scope permission

Once the permissions are added, ensure you grant admin consent for your directory.

Configure your Target Platform

The next step depends on whether you are developing for a mobile operating system or the web.

From the Overview page, click Authentication.

App overview

Under Suggested Redirect URIs for public clients (mobile, desktop), select the value that is a concatenation of msal, your Application ID, and ://auth. Your application will need to process a callback from this URI to receive the authentication result.

Add the Redirect URI in Azure

After adding the Redirect URI, you need to enable the Access tokens and ID tokens under Implicit grant .

Enable implicit grant

From the Overview page, click Authentication.

App overview

Under Redirect URIs, enter the path to the redirect page that your application will send as the redirect_uri parameter to the Azure authorization server.

Add the Redirect URI in Azure

After adding the Redirect URI, you need to enable the Access tokens and ID tokens under Implicit grant .

Enable implicit grant

Configure your Domain

On your BlackBerry Online Account page, select your application to manage its configuration and then open the Communications Services tab and select Microsoft Azure AD in the Getting Started box.

Azure Portal

In the OpenID Connect tab below, some of the fields will be automatically filled in for you. Fill in the remaining fields as follows.

Azure Fields

Set the JWKS URI field to the to the concatenation of https://login.microsoftonline.com/, your Azure Active Directory Directory ID, and /discovery/v2.0/keys.

Find Azure Directory ID

Next, set the Issuer field to the concatenation of https://sts.windows.net/ and your Azure Active Directory Directory ID.

In the Client IDs field, add your application's Azure Application ID URI.

Click the Create Domain button. Click the Edit button to modify the domain and choose the OpenID Connect tab.

In the Scopes list, add Messaging.All, which is the same scope name that you added to your application's Azure Web API configuration in the steps above.

Azure Scopes

Examples

The SDK example applications can be set up to use Azure Active Directory as your identity provider.