Service to service calls on behalf of the user

Web APIs can acquire tokens in the name of a user, leveraging User assertions

Web API cannot have any user interaction, and therefore when a web API (named "first Web API") needs to call another Web API (named "second Web API") in the name of a user, it needs to use the On Behalf Of OAuth 2.0 flow.

This flow is a confidential client flow, and therefore the first web API provides client credentials (client secret or certificate). However, it will also provide another parameter named the userAssertion. The first web API will receive a bearer token and send it to Azure AD by embedding it into a user assertion to request another token to the downstream second Web API.

        ConfidentialClientApplication cca =
                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(CLIENT_SECRET)).
                        authority(AUTHORITY).
                        build();
       // Create an UserAssertion with the access token received from the client application 
        UserAssertion userAssertion = new UserAssertion(accessToken);

        AuthenticationResult result =
                cca.acquireToken(
                        OnBehalfOfParameters.builder(
                            Scope,             
                            userAssertion).
                            build()).
                            get();

Service to service calls on behalf of the user

Web APIs can acquire tokens in the name of a user, leveraging User assertions

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Getting started with MSAL Java

Configure, build, and test

Advanced topics

FAQ & Common Issues

News

Other resources

Clone this wiki locally