Acquiring tokens
As explained in MSAL for Java scenarios, there are many ways of acquiring a token. Some require user interactions through a web browser. Some don't require any user interactions.
In general the way to acquire a token is different depending on the application type - public client application (desktop/mobile) or a confidential client application (Web App, Web API, daemon application like a Windows service).
Pre-requisites
Before acquiring tokens with MSAL4J, make sure to instantiate a client application
Token acquisition methods
Follow the topics below for detailed explanation with MSAL4J code usage for each token acquisition method.
Public client applications
- Acquire tokens interactively with system browser
- Acquire tokens by authorization code after letting the user sign-in through the authorization request URL.
- It's also possible (but not recommended) to get a token with a username and password.
- For applications running on Windows machines and joined to a domain or to Microsoft Entra ID, it is possible to acquire a token silently, leveraging Integrated Windows Authentication (IWA).
- Finally, for applications running on devices which don't have a web browser, it's possible to acquire a token through the device code flow, which provides the user with a URL and a code. The user goes to a web browser on another device, enters the code and signs-in, and then Microsoft Entra ID returns back a token to the browser-less device.
Confidential client applications
- Acquire token as the application itself using client credentials, and not for a user. For example, in apps which process users in batches and not a particular user such as in syncing tools.
- In the case of Web Apps or Web APIs calling another downstream Web API in the name of the user, use the On Behalf Of flow to acquire a token based on some User assertion (SAML for instance, or a JWT token).
- For Web apps in the name of a user, acquire tokens by authorization code after letting the user sign-in through the authorization request URL. This is typically the mechanism used by an application which lets the user sign-in using OpenID Connect, but then wants to access Web APIs for this particular user.
MSAL4J caches tokens
For both Public client and Confidential client applications, MSAL maintains a token cache, and applications should try to get a token from the cache first before any other means (except in the case of client credentials, which looks at the cache by itself). Take a look at the recommended pattern for token acquisition.
To be able to make use of the cache, the application needs to customize the token cache serialization.