In OAuth client credentials flow using Java, is the use of SilentParameters to acquire token silently from cache obsolete?

Question

In OAuth client credentials flow using Java, is the use of SilentParameters to acquire token silently from cache obsolete?

Priyanka Chaudhuri 125

My client application is a confidential client application as it does not have any interactive UI for user sign in (no user sign in involved) and it runs on the web browser.

In SDK for Java quickstart as well as many online implementations of Client Credentials Grant flow in Java for a daemon calling a protected web API using app role, SilentParameters.builder(Set<String>scope) has been used as an example.

Right now it is deprecated in the MSAL (I am using 1.13.8 maven dependency) and I want to understand the following -

Should I only use the below code to acquire token and I no longer need to use SilentParameters and call "acquireTokenSilently"? Is it that the ClientCredentialParameters will implicitly check for a valid token in the cache and if not found, would request a new token to the IDP?

Articles like https://learn.microsoft.com/en-us/answers/questions/61061/recommended-pattern-for-acquiring-tokens and https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens#recommended-call-pattern-for-public-client-applications has left me rather confused.

ClientCredentialParameters parameters =
                     ClientCredentialParameters
                             .builder(SCOPE)
                             .build();
result = cca.acquireToken(parameters).join();

Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator

2023-07-14T14:19:41.4+00:00

@Priyanka Chaudhuri

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Accepted answer

0 additional answers

Your answer

Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator

2023-07-14T14:19:41.4+00:00

@Priyanka Chaudhuri

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,951 Microsoft Employee Moderator

@Priyanka Chaudhuri

Thank you for posting your query on Microsoft Q&A. From above description we could understand that you want to know if you could use SilentParameters to acquireToken silently for java confidential client application.

Please do correct me if this is not the case by responding in the comments section.

Yes, you could use SilentParameters to acquireToken silently. As per Acquiring tokens silently MSAL maintains a token cache (or two caches for confidential client applications) and caches a token after it's been acquired.

The exception applies to public clients only.

For public client Client credentials flow, which does not use the user token cache but an application token cache. This method takes care of verifying the application token cache before sending a request to the security token service (STS).

Please do let me know if you have any further queries.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Priyanka Chaudhuri 125 Reputation points

2023-07-17T18:07:38.1966667+00:00
Apologies for the delay in replying.

Thanks for your reply Akshay.

What I understood from the code snippet in the quickstart tutorial is that acquiring token silently means fetching it from the token cache.

Please let me know if the above understanding is correct.

Secondly, Azure SDK for Java has marked acquireTokenSilently method of ConfidentialClientApplication deprecated -Therefore, we should not use it. So in today's date it contradicts the guidance given in the quickstart tutorial.

I am left with the option of using below code to acquire the token -

ClientCredentialParameters parameters = ClientCredentialParameters .builder(SCOPE) .build(); result = cca.acquireToken(parameters).join();

My question to you is, does the method acquireToken of ConfidentialClientApplication class check for the token in the cache before requesting for a new one to the IDP?
Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator

2023-07-18T08:26:57.14+00:00

@Priyanka Chaudhuri ,

As per public CompletableFuture acquireToken(ClientCredentialParameters parameters) Method Details:

Acquires tokens from the authority configured in the application, for the confidential client itself. It will by default attempt to get tokens from the token cache. If no tokens are found, it falls back to acquiring them via client credentials from the STS

Also as per SilentParameters Method Summary This method was used for using cached tokens in client credentials or On-behalf-of flow. Those flows will now by default attempt to use cached the cached tokens, so there is no need to call acquireTokenSilently. This overload will be removed in the next major version.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Share via

In OAuth client credentials flow using Java, is the use of SilentParameters to acquire token silently from cache obsolete?

0 additional answers

Your answer