Service-to-service authentication
Web APIs can acquire tokens in the name of a user, leveraging User assertions. Web API cannot have any user interaction, and therefore when a web API (named "Web API #1") needs to call another Web API (named "Web API #2") in the name of a user, it needs to use the On Behalf Of OAuth 2.0 flow.
This flow is a confidential client flow, and therefore the first web API provides client credentials (client secret or certificate), as well as an UserAssertion
. The first web API will receive a bearer token and send it to Microsoft Entra ID by embedding it into a UserAssertion
to request another token to the downstream second Web API.
// This is the confidential client application representing Web Api #1
ConfidentialClientApplication cca =
ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(CLIENT_SECRET)).
authority(AUTHORITY).
build();
// Create an UserAssertion with the access token received from the client application
UserAssertion userAssertion = new UserAssertion(accessToken);
AuthenticationResult result =
cca.acquireToken(
OnBehalfOfParameters.builder(
Scope,
userAssertion).
build()).
get();
Commentaires
https://aka.ms/ContentUserFeedback.
Bientôt disponible : Tout au long de 2024, nous allons supprimer progressivement GitHub Issues comme mécanisme de commentaires pour le contenu et le remplacer par un nouveau système de commentaires. Pour plus d’informations, consultezEnvoyer et afficher des commentaires pour