OnBehalfOfCredential class

Enables authentication to Microsoft Entra ID using the On Behalf Of flow.

Constructors

OnBehalfOfCredential(OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client getAssertion and an user assertion.

Example using the KeyClient from @azure/keyvault-keys:

const tokenCredential = new OnBehalfOfCredential({
  tenantId,
  clientId,
  getAssertion: () => { return Promise.resolve("my-jwt")},
  userAssertionToken: "access-token"
});
const client = new KeyClient("vault-url", tokenCredential);

await client.getKey("key-name");
OnBehalfOfCredential(OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with path to a PEM certificate, and an user assertion.

Example using the KeyClient from @azure/keyvault-keys:

const tokenCredential = new OnBehalfOfCredential({
  tenantId,
  clientId,
  certificatePath: "/path/to/certificate.pem",
  userAssertionToken: "access-token"
});
const client = new KeyClient("vault-url", tokenCredential);

await client.getKey("key-name");
OnBehalfOfCredential(OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client secret and an user assertion.

Example using the KeyClient from @azure/keyvault-keys:

const tokenCredential = new OnBehalfOfCredential({
  tenantId,
  clientId,
  clientSecret,
  userAssertionToken: "access-token"
});
const client = new KeyClient("vault-url", tokenCredential);

await client.getKey("key-name");

Methods

getToken(string | string[], GetTokenOptions)

Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

Constructor Details

OnBehalfOfCredential(OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client getAssertion and an user assertion.

Example using the KeyClient from @azure/keyvault-keys:

const tokenCredential = new OnBehalfOfCredential({
  tenantId,
  clientId,
  getAssertion: () => { return Promise.resolve("my-jwt")},
  userAssertionToken: "access-token"
});
const client = new KeyClient("vault-url", tokenCredential);

await client.getKey("key-name");
new OnBehalfOfCredential(options: OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Parameters

options

OnBehalfOfCredentialAssertionOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions

Optional parameters, generally common across credentials.

OnBehalfOfCredential(OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with path to a PEM certificate, and an user assertion.

Example using the KeyClient from @azure/keyvault-keys:

const tokenCredential = new OnBehalfOfCredential({
  tenantId,
  clientId,
  certificatePath: "/path/to/certificate.pem",
  userAssertionToken: "access-token"
});
const client = new KeyClient("vault-url", tokenCredential);

await client.getKey("key-name");
new OnBehalfOfCredential(options: OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Parameters

options

OnBehalfOfCredentialCertificateOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions

Optional parameters, generally common across credentials.

OnBehalfOfCredential(OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with a client secret and an user assertion.

Example using the KeyClient from @azure/keyvault-keys:

const tokenCredential = new OnBehalfOfCredential({
  tenantId,
  clientId,
  clientSecret,
  userAssertionToken: "access-token"
});
const client = new KeyClient("vault-url", tokenCredential);

await client.getKey("key-name");
new OnBehalfOfCredential(options: OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions)

Parameters

options

OnBehalfOfCredentialSecretOptions & MultiTenantTokenCredentialOptions & CredentialPersistenceOptions

Optional parameters, generally common across credentials.

Method Details

getToken(string | string[], GetTokenOptions)

Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

function getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>

Parameters

scopes

string | string[]

The list of scopes for which the token will have access.

options
GetTokenOptions

The options used to configure the underlying network requests.

Returns

Promise<AccessToken>