Authenticate to Azure AD on-behalf-of a client application

1
votes

In a scenario like this: https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof

I want to authenticate to Azure AD in the back end on behalf of a client instead of a user. I couldn't find an appropriate example in the documentation that fits this case.

So what am I doing?

In the client:

var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(webServiceUri, new ClientCredential(nativeClientId, nativeClientSecret)).GetAwaiter().GetResult();

In the back end service:

var authContext = new AuthenticationContext(authorityUrl);
var result = authContext.AcquireTokenAsync(office365ResourceUri, new ClientAssertion(webClientId, result.AccessToken))

This throws the following exception:

AADSTS70002: Client assertion application identifier doesn't match 'client_id' parameter.

It only succeeds when I'm pointing the same service (refering to itself!) in the back end as from the client: 

authContext.AcquireTokenAsync(webServiceUri, new ClientAssertion(nativeClientId, result.AccessToken))

But this doesn't make sense as the service has to go to an Office 365 API.

Anyone an idea?

1
azureazure-active-directoryadaloffice365api
Did you ever find an answer for this? I'm also attempting to get an OBO token for a client application, not a user. I'm not finding any resources that show how to do this.Bacon

1 Answers

0
votes

The OAuth 2.0 On-Behalf-Of flow is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from Azure Active Directory (Azure AD), on behalf of the user.

In your scenario , you could use client credential flow to acquire token for the office 365 api in your service app , without any human interaction such as an interactive sign-on dialog .

Please click here for more details about Authentication Scenarios for Azure AD .