-
Notifications
You must be signed in to change notification settings - Fork 147
Service to service calls on behalf of the user
Santiago Gonzalez edited this page May 23, 2019
·
2 revisions
Web API cannot have any user interaction, and therefore when a web API (named "first Web API") needs to call another Web API (named "second Web API") in the name of a user, it needs to use the On Behalf Of OAuth 2.0 flow.
This flow is a confidential client flow, and therefore the first web API provides client credentials (client secret or certificate). However, it will also provide another parameter named the userAssertion. The first web API will receive a bearer token and send it to Azure AD by embedding it into a user assertion to request another token to the downstream second Web API.
ConfidentialClientApplication cca =
ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(CLIENT_SECRET)).
authority(AUTHORITY).
build();
// Create an UserAssertion with the access token received from the client application
UserAssertion userAssertion = new UserAssertion(accessToken);
AuthenticationResult result =
cca.acquireToken(
OnBehalfOfParameters.builder(
Scope,
userAssertion).
build()).
get();
- Home
- Why use MSAL4J
- Register your app with AAD
- Scenarios
- Client Applications
- Acquiring tokens
- IAuthenticationResult
- Calling a protected API