OAuth2 On-Behalf-Of - how does user accept middle-tier permissions?

1
votes

I'm checking out OAuth2, there is one thing about On-Behalf-Of flow that I don't understand. Flow looks like this: We have:

  • App1 (frontend)
  • App2 (web API)
  • App3 (data resource (another web API))

Let's say that they are setup like this:

  • App1 - doesn't expose any APIs; needs permission to use "App2Permission"
  • App2 - exposes "App2Permission"; needs permission to use "App3Permission"
  • App3 - exposes "App3Permisson"; does't need any permissions

Now, when user goes to App1, it redirects him to login page of AAD - user accepts "App2Permisions" that App1 requires. After that, App1 gets access token for App2. App1 sends a request to App2 (including the access token I just mentioned). App2 receives this request and needs to access App3 to get the actual data. However, it requires "App3Permission" - how does it get it? App2 is not an interactive application that is able to show user some login screen.

1
azureoauth-2.0azure-active-directorysend-on-behalf-of

1 Answers

2
votes

According to the doc, in the OAuth 2.0 On-Behalf-Of flow, the middle-tier service has no user interaction to obtain the user's consent to access the downstream API(the App3 in your case).

Therefore, the option to grant access to the downstream API is presented upfront as a part of the consent step during authentication.

To learn how to set this up for your app, see Gaining consent for the middle-tier application.