BlackBerry Spark Communications Services Guide

Azure Identity Management

The BlackBerry Infrastructure can authenticate a user with Azure Active Directory. If your users already sign in to your application using Azure Active Directory, you can easily extend the implementation to allow the BlackBerry Infrastructure to use Azure Active Directory for access and identity management.

Authenticating

Azure Active Directory supports JSON Web Tokens (JWT). Your application needs to pass the JWT access token along with the user ID to the SDK so that the user is authenticated against your Azure Active Directory. Your application can parse the JWT access token returned from the Azure authentication service to get the Active Directory user ID and other information.

In Microsoft Azure, each access token must be used for a specific resource. The scope parameter sent in the authentication request can contain multiple permissions, but all the permissions must be for the same resource.

Configuring Azure

First, register a Web API with a Scope defining the permission to use Spark Communications Services. This allows the BlackBerry Infrastructure to validate the access token that your application receives from the Azure Active Directory authentication service.

Configure Azure

From the Azure Application Registration Portal, add a new application.

Make note of the Application Id. It will be needed for the other steps.

Azure Portal

If you are developing with the SDK for JavaScript, add a Web Platform enter the path to your redirect page that your application will send as the redirect_uri parameter to the authorization server. The Allow Implicit Flow check box must be checked. Azure Portal

If you are developing with the SDK for Android or iOS, add a Native Application Platform. Add a custom redirect URI and set the value to msal concatenated to your Application ID, concatenated to ://auth. Your application will process a callback from this URI to receive the authentication result. Native Platform

Adding a Permission Scope

Continue in the Azure Application Registration Portal by adding a permission Scope for Spark Communications Services.

Leave the default Application ID URI which should be api:// followed by your Application ID. Azure Portal

Add a new Scope. BlackBerry recommends using Messaging.All. This must match the Scope you entered in your application's domain configuration in your BlackBerry Online Account. It must also match the scope parameter sent in the request from your application to authenticate with the Azure authorize server. Azure Portal

In the Pre-authorized applications section, add the Application ID for your application and select the new Scope you just added. Azure Portal

Configure your Domain

On your BlackBerry Online Account page, select your application to manage its configuration and then open the Communications Services tab and select Microsoft Azure AD in the Getting Started box.

Azure Portal

Set the Issuer field to https://login.microsoftonline.com/, concatenated to your Azure AD Directory ID, concatenated to /v2.0. Add the Application ID that was assigned to your application by the Azure Application Registration Portal to the Client IDs.

Azure Fields

Click the Create Domain button. Click the Edit button to modify the domain and choose the OpenID Connect tab.

In the Scopes list, add the same permission Scope that you created above (such as Messaging.All) and save the changes. Azure Scopes

Examples

The SDK example applications can be set up to use Azure Active Directory for Identity Management.