IConfidentialClientApplication Interface

Implements

com.microsoft.aad.msal4j.IClientApplicationBase

public interface IConfidentialClientApplication
extends com.microsoft.aad.msal4j.IClientApplicationBase

Interface representing a confidential client application (Web App, Web API, Daemon App). Confidential client applications are trusted to safely store application secrets, and therefore can be used to acquire tokens in then name of either the application or an user. For details see https://aka.ms/msal4jclientapplications

Method Summary

Modifier and Type Method and Description
abstract java.util.concurrent.CompletableFuture<IAuthenticationResult> acquireToken(ClientCredentialParameters parameters)

Acquires tokens from the authority configured in the application, for the confidential client itself.

abstract java.util.concurrent.CompletableFuture<IAuthenticationResult> acquireToken(OnBehalfOfParameters parameters)

Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the On-Behalf-Of flow.

abstract boolean sendX5c()

Method Details

acquireToken

public abstract CompletableFuture acquireToken(ClientCredentialParameters parameters)

Acquires tokens from the authority configured in the application, for the confidential client itself. It will by default attempt to get tokens from the token cache. If no tokens are found, it falls back to acquiring them via client credentials from the STS

Parameters:

parameters - instance of ClientCredentialParameters

Returns:

CompletableFuture containing an IAuthenticationResult

acquireToken

public abstract CompletableFuture acquireToken(OnBehalfOfParameters parameters)

Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the On-Behalf-Of flow. It will by default attempt to get tokens from the token cache. This confidential client application was itself called with an acces token which is provided in the UserAssertion field of OnBehalfOfParameters.

When serializing/deserializing the in-memory token cache to permanent storage, there should be a token cache per incoming access token, where the hash of the incoming access token can be used as the token cache key. Access tokens are usually only valid for a 1 hour period of time, and a new access token in the UserAssertion means there will be a new token cache and new token cache key. To avoid your permanent storage from being filled with expired token caches, an eviction policy should be set. For example, a token cache that is more than a couple of hours old can be deemed expired and therefore evicted from the serialized token cache.

Parameters:

parameters - instance of OnBehalfOfParameters

Returns:

CompletableFuture containing an IAuthenticationResult

sendX5c

public abstract boolean sendX5c()

Returns:

a boolean value which determines whether x5c claim (public key of the certificate) will be sent to the STS.

Applies to