-
Notifications
You must be signed in to change notification settings - Fork 144
Service to service calls on behalf of the user
Santiago Gonzalez edited this page May 23, 2019
·
2 revisions
Web API cannot have any user interaction, and therefore when a web API (named "Web API #1") needs to call another Web API (named "Web API #2") in the name of a user, it needs to use the On Behalf Of OAuth 2.0 flow.
This flow is a confidential client flow, and therefore the first web API provides client credentials (client secret or certificate), as well as an UserAssertion
. The first web API will receive a bearer token and send it to Azure AD by embedding it into a UserAssertion
to request another token to the downstream second Web API.
ConfidentialClientApplication cca =
ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(CLIENT_SECRET)).
authority(AUTHORITY).
build();
// Create an UserAssertion with the access token received from the client application
UserAssertion userAssertion = new UserAssertion(accessToken);
AuthenticationResult result =
cca.acquireToken(
OnBehalfOfParameters.builder(
Scope,
userAssertion).
build()).
get();
- Home
- Why use MSAL4J
- Register your app with AAD
- Scenarios
- Client Applications
- Acquiring tokens
- IAuthenticationResult
- Calling a protected API