Security
This section discusses the security aspects of this extension.
Secrets
Secrets are encrypted inside the AX database to prevent anyone including administrators to spy on deciphered values. See Encryption in Microsoft Dynamics 365 and Encryption in finance and operations apps for more information.
All instances utilize Microsoft SQL Server Transparent Data Encryption (TDE) and Azure Storage encryption to perform real-time encryption of data when written to the disk at rest.
Any changes to the secrets are automatically logged into the SysEncryptionLog table.
Such secrets are of course:
- not exposed in any of the data entities, private or public.
- obfucated in logs
When moving environments databases around, the deciphering key will be changed and therefore the target environment will no longer be able to decipher secrets, which will need to be reset.
Webservices
All transactions between Dynamics 365FO and Eftsure are using HTTPS and TLS 1.2 or 1.3 to allow secure transmission of data over the internet.
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP), which uses encryption for secure communication over a computer network, and is widely used on the Internet. Our communication protocol is encrypted using Transport Layer Security (TLS) The protocol is therefore also referred to as HTTP over TLS.
The principal motivations for HTTPS are authentication of the accessed website and protection of the privacy and integrity of the exchanged data while it is in transit.
For more information, see HTTPS on wikipedia
Our extension enforces the use of HTTPS for all outbound calls.
TLS
TLS is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet.
The TLS protocol aims primarily to provide security, including privacy (confidentiality), integrity, and authenticity through the use of cryptography, such as the use of certificates, between two or more communicating computer applications.
For more information, see TLS on wikipedia
Our extension enforces the use of TLS over HTTPS and supports both TLS 1.2 and 1.3.
Support for TLS1.3 may vary per environment, for more information see Supported TLS Versions, although the link might not be up to date.
OAuth 2.0 Client Credentials
Our extension uses the Client Credentials grant type in OAuth 2.0, a method for a client application to obtain an access token directly from an authorization server using only its own credentials (client ID and client secret), without involving a user.
This authentication method allows the following:
- No user interaction: Unlike other grant types like Authorization Code, this flow does not require any user consent or redirection to a login page.
- Confidential clients only: This grant type is suitable for confidential clients that can securely store their client secret and prevent unauthorized access.
- Direct access token retrieval: The client sends a request containing its client_id and client_secret to the authorization server's token endpoint.
- Access to client-owned resources: The resulting access token grants the client access to resources that belong to the client itself, rather than resources owned by a specific user.
- No refresh token: Typically, refresh tokens are not issued with this grant type because the client is the resource owner and can simply request a new access token when the current one expires.