ConfidentialClientApplication Class

Package:

com.microsoft.aad.msal4j

Maven Artifact:

com.microsoft.azure:msal4j:1.17.2

• java.lang.Object
• • com.microsoft.aad.msal4j.AbstractApplicationBase
  • • com.microsoft.aad.msal4j.AbstractClientApplicationBase
    • • com.microsoft.aad.msal4j.ConfidentialClientApplication

Implements

IConfidentialClientApplication

public class ConfidentialClientApplication
extends AbstractClientApplicationBase
implements IConfidentialClientApplication

Class to be used to acquire tokens for confidential client applications (Web Apps, Web APIs, and daemon applications). For details see IConfidentialClientApplication

Conditionally thread-safe

Field Summary

Modifier and Type	Field and Description
java.util.function.Function<AppTokenProviderParameters,java.util.concurrent.CompletableFuture<TokenProviderResult>>	appTokenProvider AppTokenProvider creates a Credential from a function that provides access tokens.

Method Summary

Modifier and Type	Method and Description
java.util.concurrent.CompletableFuture<IAuthenticationResult>	acquireToken(ClientCredentialParameters parameters) Acquires tokens from the authority configured in the application, for the confidential client itself.
java.util.concurrent.CompletableFuture<IAuthenticationResult>	acquireToken(OnBehalfOfParameters parameters) Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the On-Behalf-Of flow.
static Builder	builder(String clientId, IClientCredential clientCredential) Creates instance of Builder of ConfidentialClientApplication
protected com.nimbusds.oauth2.sdk.auth.ClientAuthentication	clientAuthentication()
protected com.nimbusds.oauth2.sdk.auth.ClientAuthentication	createClientAuthFromClientAssertion(ClientAssertion clientAssertion)
boolean	sendX5c()

Methods inherited from AbstractApplicationBase

connectTimeoutForDefaultHttpClient correlationId httpClient logPii proxy readTimeoutForDefaultHttpClient sslSocketFactory

Methods inherited from AbstractClientApplicationBase

aadAadInstanceDiscoveryResponse acquireToken acquireToken acquireTokenSilently applicationName applicationVersion authority autoDetectRegion azureRegion clientAuthentication clientCapabilities clientId getAccounts getAuthorizationRequestUrl instanceDiscovery removeAccount tokenCache validateAuthority

Methods inherited from java.lang.Object

java.lang.Object.clone java.lang.Object.equals java.lang.Object.finalize java.lang.Object.getClass java.lang.Object.hashCode java.lang.Object.notify java.lang.Object.notifyAll java.lang.Object.toString java.lang.Object.wait java.lang.Object.wait java.lang.Object.wait

Field Details

appTokenProvider

public Function> appTokenProvider

AppTokenProvider creates a Credential from a function that provides access tokens. The function must be concurrency safe. This is intended only to allow the Azure SDK to cache MSI tokens. It isn't useful to applications in general because the token provider must implement all authentication logic.

Method Details

acquireToken

public CompletableFuture acquireToken(ClientCredentialParameters parameters)

Acquires tokens from the authority configured in the application, for the confidential client itself. It will by default attempt to get tokens from the token cache. If no tokens are found, it falls back to acquiring them via client credentials from the STS

Parameters:

parameters

acquireToken

public CompletableFuture acquireToken(OnBehalfOfParameters parameters)

Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the On-Behalf-Of flow. It will by default attempt to get tokens from the token cache. This confidential client application was itself called with an acces token which is provided in the UserAssertion field of OnBehalfOfParameters.

When serializing/deserializing the in-memory token cache to permanent storage, there should be a token cache per incoming access token, where the hash of the incoming access token can be used as the token cache key. Access tokens are usually only valid for a 1 hour period of time, and a new access token in the UserAssertion means there will be a new token cache and new token cache key. To avoid your permanent storage from being filled with expired token caches, an eviction policy should be set. For example, a token cache that is more than a couple of hours old can be deemed expired and therefore evicted from the serialized token cache.

Parameters:

parameters

builder

public static ConfidentialClientApplication.Builder builder(String clientId, IClientCredential clientCredential)

Creates instance of Builder of ConfidentialClientApplication

Parameters:

clientId - Client ID (Application ID) of the application as registered

                     in the application registration portal (portal.azure.com)

clientCredential - The client credential to use for token acquisition.

Returns:

instance of Builder of ConfidentialClientApplication

clientAuthentication

protected ClientAuthentication clientAuthentication()

Overrides:

ConfidentialClientApplication.clientAuthentication()

createClientAuthFromClientAssertion

protected ClientAuthentication createClientAuthFromClientAssertion(ClientAssertion clientAssertion)

Parameters:

clientAssertion

sendX5c

public boolean sendX5c()