Microsoft Authentication Library for Java
The Microsoft Authentication Library for Java (also known as MSAL Java or MSAL4J) enables applications to integrate with the Microsoft identity platform. It allows you to sign in users or apps with Microsoft identities (Microsoft Entra ID, Microsoft accounts, and Azure AD B2C accounts) and obtain tokens to call Microsoft APIs such as Microsoft Graph or your own APIs. It is built using industry standard OAuth2 and OpenID Connect protocols.
Overview
- Why use MSAL4J?
- Pre-requisite: Before using MSAL4J you will have to register your applications with Microsoft Entra ID.
- To start using MSAL4J, instantiate and configure the client application.
- Learn about the ways to acquire a token using MSAL4J.
- Follow best practices for a robust enterprise ready application.
- Refer FAQ for common issues and known bugs.
MSAL Java scenarios
MSAL4J can be used by applications to acquire tokens to access protected APIs. Tokens can be acquired by different application types: desktop applications, web applications, web APIs, and applications running on devices that don't have a browser (such as IoT devices). In MSAL4J, applications are categorized as follows:
- Public client applications (desktop and mobile). These types of apps cannot store app secrets securely.
- Confidential client applications (web apps, web APIs, and daemon applications). These type of apps securely store a secret registered with Microsoft Entra ID.
Learn more details about instantiating and configuring the above in the Client applications topic.
MSAL4J supports acquiring tokens either in the name of a user or in the name of the application itself (without a user). In the latter case, a confidential client application must be used.
MSAL4J can be used in applications running on different operating systems (Windows, Linux, macOS).
Key scenarios supported by MSAL4J:
- Web application that signs in users
- Web Application signing in a user and calling a Web API in the name of the user
- Desktop application calling a Web API in the name of the signed-in user
- Desktop/service daemon application calling Web API without a user
- Application without a browser, or IOT application calling an API in the name of the user
Can't find the scenario you are looking for? Check out the supported scenarios and platforms across MSAL libraries.
Releases
Refer to MSAL Java releases on GitHub.