We’re attempting to expose our PIWebAPI to external entities using Azure AD for authentication. We’ve got a proof of concept working, but now that we’re thinking about how to present it to a handful of outside entities, I’m worried we might not be doing it the right way. I’m hoping someone might be able to get us headed in the right direction or tell us we’re on the right path.
Also, please keep in mind, this is all very new to both myself and the SysAdmins I’m working with. My apologies for any incorrect terminology or misinterpretations.
What we have working:
- We configured the PI Web API to use bearer authentication as outlined in the OSIsoft documentation.
- In the Azure AD App Registrations, we added the PI Web API as an app and added a Scope for reading data.
- Then we granted this client app permissions to the PI Web API app, enabled the “implicit grant flow”, and set up the Redirect URI.
- Then configured the client app and got data flowing. The user is presented with the Microsoft login page, they are authenticated and get data returned from the PI Web API.
What we don’t like:
The thing that is hanging us up is having to configure the client application in Azure AD for each external entity. We’d much rather have a generalized setup where we add a user for the external entity and call it good. We don’t want to require knowing how they are going to connect, what technologies/languages they are using, or working out what their Redirect URI is going to be for their app.
So I guess my questions are:
- In general what is the best way, or the standard way, to authenticate a user for the PIWebAPI using Azure AD?
- Is there a more generalized way to set up the client App Registration so we don’t have to do it individually for every external entity?
- Are there any other tips/tricks/ideas/general information for doing this?