Skip to content

Service to service calls on behalf of the user

Jump to bottom
Santiago Gonzalez edited this page May 23, 2019 · 2 revisions

Web APIs can acquire tokens in the name of a user, leveraging User assertions

Web API cannot have any user interaction, and therefore when a web API (named "Web API #1") needs to call another Web API (named "Web API #2") in the name of a user, it needs to use the On Behalf Of OAuth 2.0 flow.

This flow is a confidential client flow, and therefore the first web API provides client credentials (client secret or certificate), as well as an UserAssertion. The first web API will receive a bearer token and send it to Azure AD by embedding it into a UserAssertion to request another token to the downstream second Web API.

        ConfidentialClientApplication cca =
                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(CLIENT_SECRET)).
                        authority(AUTHORITY).
                        build();

       // Create an UserAssertion with the access token received from the client application 
        UserAssertion userAssertion = new UserAssertion(accessToken);

        AuthenticationResult result =
                cca.acquireToken(
                        OnBehalfOfParameters.builder(
                            Scope,             
                            userAssertion).
                            build()).
                            get();

Getting started with MSAL Java

Configure, build, and test

Advanced topics

FAQ & Common Issues

News

Other resources

Clone this wiki locally