Skip to content

Acquiring Tokens

Jump to bottom
Santiago Gonzalez edited this page May 23, 2019 · 12 revisions

As explained in Scenarios, there are many ways of acquiring a token. They are detailed in the next topics. Some require user interactions through a web browser. Some don't require any user interactions. In general the way to acquire a token is different depending on if the application is a public client application (Desktop / Mobile) or a confidential client application (Web App, Web API, daemon application like a windows service)

MSAL4J caches tokens

For both Public client and confidential client applications, MSAL maintains a token cache, and applications should try to get a token from the cache first before any other means, except in the case of ClientCredentials, which does look at the cache by itself.

To be able to make use of the cache, the application needs to customize the token cache serialization

Token acquisition methods

Public client application:

Public flows
  • Acquire tokens by authorization code after letting the user sign-in through the authorization request URL.
  • It's also possible (but not recommended) to get a token with a username and password.
  • For applications running on Windows machines and joined to a domain or to Azure AD, it is possible to acquire a token silently, leveraging Integrated Windows Authentication (IWA).
  • Finally, for applications running on devices which don't have a web browser, it's possible to acquire a token through the device code flow, which provides the user with a URL and a code. The user goes to a web browser on another device, enters the code and signs-in, and then Azure AD returns back a token to the browser-less device.

Confidential client applications:

  • Acquire token as the application itself using client credentials, and not for a user. For example, in apps which process users in batches and not a particular user such as in syncing tools.
  • In the case of Web Apps or Web APIs calling another downstream Web API in the name of the user, use the On Behalf Of flow to acquire a token based on some User assertion (SAML for instance, or a JWT token).
  • For Web apps in the name of a user, acquire tokens by authorization code after letting the user sign-in through the authorization request URL. This is typically the mechanism used by an application which lets the user sign-in using Open ID Connect, but then wants to access Web APIs for this particular user.

Getting started with MSAL Java

Configure, build, and test

Advanced topics

FAQ & Common Issues

News

Other resources

Clone this wiki locally