Class OnBehalfOfCredentialBuilder
- All Implemented Interfaces:
com.azure.core.client.traits.HttpTrait<OnBehalfOfCredentialBuilder>
OnBehalfOfCredential
.
On Behalf of authentication in Azure is a way for a user or application to authenticate to a service or resource using credentials from another identity provider. This type of authentication is typically used when a user or application wants to access a resource in Azure, but their credentials are managed by a different identity provider, such as an on-premises Active Directory or a third-party identity provider. To use "On Behalf of" authentication in Azure, the user must first authenticate to the identity provider using their credentials. The identity provider then issues a security token that contains information about the user and their permissions. This security token is then passed to Azure, which uses it to authenticate the user or application and grant them access to the requested resource. The OnBehalfOfCredential acquires a token with a client secret/certificate and user assertion for a Microsoft Entra application on behalf of a user principal.
The following code sample demonstrates the creation of a OnBehalfOfCredential
,
using the OnBehalfOfCredentialBuilder
to configure it. The tenantId
,
clientId
and clientSecret
parameters are required to create
OnBehalfOfCredential
. The userAssertion
can be optionally specified on the
OnBehalfOfCredentialBuilder
. Once this credential is created, it may be passed into the
builder of many of the Azure SDK for Java client builders as the 'credential' parameter.
TokenCredential onBehalfOfCredential = new OnBehalfOfCredentialBuilder() .clientId("<app-client-ID>") .clientSecret("<app-Client-Secret>") .tenantId("<app-tenant-ID>") .userAssertion("<user-assertion>") .build();
- See Also:
-
Constructor Summary
ConstructorDescriptionConstructs an instance of OnBehalfOfCredentialBuilder. -
Method Summary
Modifier and TypeMethodDescriptionbuild()
Creates a newOnBehalfOfCredential
with the current configurations.clientCertificatePassword
(String clientCertificatePassword) Sets the password of the client certificate for authenticating to Microsoft Entra ID.clientSecret
(String clientSecret) Sets the client secret for the authentication.pemCertificate
(String pemCertificatePath) Sets the path of the PEM certificate for authenticating to Microsoft Entra ID.pfxCertificate
(String pfxCertificatePath) Sets the path and password of the PFX certificate for authenticating to Microsoft Entra ID.sendCertificateChain
(boolean sendCertificateChain) Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request and enable subject name / issuer based authentication.tokenCachePersistenceOptions
(TokenCachePersistenceOptions tokenCachePersistenceOptions) Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default.userAssertion
(String userAssertion) Configure the User Assertion Scope to be used for OnBehalfOf Authentication request.Methods inherited from class com.azure.identity.AadCredentialBuilderBase
additionallyAllowedTenants, additionallyAllowedTenants, authorityHost, clientId, disableInstanceDiscovery, enableUnsafeSupportLogging, executorService, tenantId
Methods inherited from class com.azure.identity.CredentialBuilderBase
addPolicy, clientOptions, configuration, enableAccountIdentifierLogging, httpClient, httpLogOptions, httpPipeline, maxRetry, pipeline, proxyOptions, retryOptions, retryPolicy, retryTimeout
-
Constructor Details
-
OnBehalfOfCredentialBuilder
public OnBehalfOfCredentialBuilder()Constructs an instance of OnBehalfOfCredentialBuilder.
-
-
Method Details
-
clientSecret
Sets the client secret for the authentication.- Parameters:
clientSecret
- the secret value of the Microsoft Entra application.- Returns:
- An updated instance of this builder.
-
tokenCachePersistenceOptions
public OnBehalfOfCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions) Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default. If configured, the credential will store tokens in a cache persisted to the machine, protected to the current user, which can be shared by other credentials and processes.- Parameters:
tokenCachePersistenceOptions
- the token cache configuration options- Returns:
- An updated instance of this builder with the token cache options configured.
-
pemCertificate
Sets the path of the PEM certificate for authenticating to Microsoft Entra ID.- Parameters:
pemCertificatePath
- the PEM file containing the certificate- Returns:
- An updated instance of this builder.
-
pfxCertificate
Sets the path and password of the PFX certificate for authenticating to Microsoft Entra ID.- Parameters:
pfxCertificatePath
- the password protected PFX file containing the certificate- Returns:
- An updated instance of this builder.
-
clientCertificatePassword
Sets the password of the client certificate for authenticating to Microsoft Entra ID.- Parameters:
clientCertificatePassword
- the password protecting the certificate- Returns:
- An updated instance of this builder.
-
sendCertificateChain
Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request and enable subject name / issuer based authentication. The default value is false.- Parameters:
sendCertificateChain
- the flag to indicate if certificate chain should be sent as part of authentication request.- Returns:
- An updated instance of this builder.
-
userAssertion
Configure the User Assertion Scope to be used for OnBehalfOf Authentication request.- Parameters:
userAssertion
- the user assertion access token to be used for On behalf Of authentication flow- Returns:
- An updated instance of this builder with the user assertion scope configured.
-
build
Creates a newOnBehalfOfCredential
with the current configurations.- Returns:
- a
OnBehalfOfCredential
with the current configurations. - Throws:
IllegalArgumentException
- if eiter both the client secret and certificate are configured or none of them are configured.
-