Share via


IConfidentialClientApplication Interface

Definition

Represents confidential client applications - web apps, web APIs, daemon applications.

public interface IConfidentialClientApplication : Microsoft.Identity.Client.IClientApplicationBase
type IConfidentialClientApplication = interface
    interface IClientApplicationBase
    interface IApplicationBase
Public Interface IConfidentialClientApplication
Implements IClientApplicationBase
Derived
Implements

Remarks

Confidential client applications are typically applications which run on servers (web apps, web API, or even service/daemon applications). They are considered difficult to access, and therefore capable of keeping an application secret (hold configuration time secrets as these values would be difficult for end users to extract). A web app is the most common confidential client. The client ID is exposed through the web browser, but the secret is passed only in the back channel and never directly exposed. For details, see Client Applications.

Properties

AppConfig

Details on the configuration of the ClientApplication for debugging purposes.

(Inherited from IClientApplicationBase)
AppTokenCache

Application token cache which holds access tokens for this application. It's maintained and updated silently when calling AcquireTokenForClient(IEnumerable<String>)

Authority

Gets the URL of the authority, or the security token service (STS) from which MSAL.NET will acquire security tokens. The return value of this property is either the value provided by the developer in the constructor of the application, or otherwise the value of the Microsoft.Identity.Client.ApplicationBase.DefaultAuthority static member (that is https://login.microsoftonline.com/common/)

(Inherited from IClientApplicationBase)
ClientId
Obsolete.

Gets the Client ID (also known as Application ID) of the application as registered in the application registration portal (https://aka.ms/msal-net-register-app) and as passed in the constructor of the application.

(Inherited from IClientApplicationBase)
Component
Obsolete.

Identifier of the component (libraries/SDK) consuming MSAL.NET. This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.

(Inherited from IClientApplicationBase)
RedirectUri
Obsolete.

The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens. This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app) In MSAL.NET, PublicClientApplication define the following default RedirectUri values:

  • urn:ietf:wg:oauth:2.0:oob for desktop (.NET Framework and .NET Core) applications
  • msal{ClientId} for Xamarin iOS and Xamarin Android (as this will be used by the system web browser by default on these platforms to call back the application)
These default URIs could change in the future. In ConfidentialClientApplication, this can be the URL of the web application / web API. (Inherited from IClientApplicationBase)
SliceParameters
Obsolete.

Sets or Gets a custom query parameters that may be sent to the STS for dogfood testing or debugging. This is a string of segments of the form key=value separated by an ampersand character. Unless requested otherwise, this parameter should not be set by application developers as it may have adverse effect on the application.

(Inherited from IClientApplicationBase)
Users
Obsolete.

In MSAL 1.x returned an enumeration of IUser. From MSAL 2.x, use GetAccountsAsync() instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from IClientApplicationBase)
UserTokenCache

User token cache which holds ID tokens, access tokens, and refresh tokens for accounts. It's used and updated silently if needed when calling AcquireTokenSilent(IEnumerable<String>, IAccount) It is updated by each acquire token method, with the exception of AcquireTokenForClient(IEnumerable<String>) which only uses the application cache (see AppTokenCache).

(Inherited from IClientApplicationBase)
ValidateAuthority
Obsolete.

Gets a boolean value telling the application if the authority needs to be verified against a list of known authorities. The default value is true. It should currently be set to false for Azure AD B2C authorities as those are customer specific (a list of known B2C authorities cannot be maintained by MSAL.NET)

(Inherited from IClientApplicationBase)

Methods

AcquireTokenByAuthorizationCode(IEnumerable<String>, String)

Acquires a token from the authority configured in the app using the authorization code previously received from the identity provider using the OAuth 2.0 authorization code flow. See Authorization Code Flow. This flow is usually used in web apps (for instance, ASP.NET and ASP.NET Core web apps) which sign-in users and can request an authorization code. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount) to check the token cache.

AcquireTokenByAuthorizationCodeAsync(String, IEnumerable<String>)
Obsolete.

[V2 API] Acquires security token from the authority using authorization code previously received. This method does not lookup token cache, but stores the result in it, so it can be looked up using other methods such as AcquireTokenSilentAsync(IEnumerable<String>, IAccount).

AcquireTokenForClient(IEnumerable<String>)

Acquires a token from the authority configured in the app for the confidential client itself (not for a user) using the client credentials flow. See Client Credentials Flow. During this operation MSAL will first search in the cache for an unexpired token before acquiring a new one from Microsoft Entra ID.

AcquireTokenForClientAsync(IEnumerable<String>, Boolean)
Obsolete.

[V2 API] Acquires token from the service for the confidential client. This method attempts to look up valid access token in the cache.

AcquireTokenForClientAsync(IEnumerable<String>)
Obsolete.

[V2 API] Acquires token from the service for the confidential client. This method attempts to look up valid access token in the cache.

AcquireTokenOnBehalfOf(IEnumerable<String>, UserAssertion)

Acquires an access token for this application (usually a web API) from the authority configured in the application, in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. During this operation MSAL will first search in the cache for an unexpired token before acquiring a new one from Microsoft Entra ID. See On-Behalf-Of Flow.

AcquireTokenOnBehalfOfAsync(IEnumerable<String>, UserAssertion, String)
Obsolete.

[V3 API] Acquires token using On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of)

AcquireTokenOnBehalfOfAsync(IEnumerable<String>, UserAssertion)
Obsolete.

[V3 API] Acquires token using On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of)

AcquireTokenSilent(IEnumerable<String>, IAccount)

Attempts to acquire an access token for the account from the user token cache, with advanced parameters controlling the network call. See Acquire tokens silently.

(Inherited from IClientApplicationBase)
AcquireTokenSilent(IEnumerable<String>, String)
Obsolete.

In confidential client apps use AcquireTokenSilent(IEnumerable<String>, IAccount) instead.

AcquireTokenSilentAsync(IEnumerable<String>, IAccount, String, Boolean)
Obsolete.

Attempts to acquire and access token for the account from the user token cache, with advanced parameters making a network call.

(Inherited from IClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount)
Obsolete.

Attempts to acquire an access token for the account from the user token cache.

(Inherited from IClientApplicationBase)
GetAccountAsync(String)

Get the IAccount by its identifier among the accounts available in the token cache and of the same environment (authority host) as Authority.

(Inherited from IClientApplicationBase)
GetAccountsAsync()
Obsolete.

Use GetAccountAsync(String) in web apps and web APIs, and use a token cache serializer for better security and performance. See https://aka.ms/msal-net-cca-token-cache-serialization.

GetAccountsAsync(String)

Only for Azure AD B2C scenarios, get the IAccount collection by its identifier among the accounts available in the token cache based on the user flow.

(Inherited from IClientApplicationBase)
GetAuthorizationRequestUrl(IEnumerable<String>)

Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in the user's name. The URL targets the /authorize endpoint of the authority configured in the application.

GetAuthorizationRequestUrlAsync(IEnumerable<String>, String, String, String, IEnumerable<String>, String)
Obsolete.

[V2 API] Gets URL of the authorize endpoint including the query parameters.

GetAuthorizationRequestUrlAsync(IEnumerable<String>, String, String)
Obsolete.

[V2 API] URL of the authorize endpoint including the query parameters.

GetUser(String)
Obsolete.

In MSAL 1.x, return a user from its identifier. From MSAL 2.x, use GetAccountsAsync() instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from IClientApplicationBase)
Remove(IUser)
Obsolete.

In MSAL 1.x removed a user from the cache. From MSAL 2.x, use RemoveAsync(IAccount) instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from IClientApplicationBase)
RemoveAsync(IAccount)

Removes all tokens in the cache for the specified account.

(Inherited from IClientApplicationBase)

Extension Methods

GetCertificate(IConfidentialClientApplication)

Returns the certificate used to create this ConfidentialClientApplication, if any.

Applies to