OnBehalfOfCredentialBuilder Class

Package:

com.azure.identity

Maven Artifact:

com.azure:azure-identity:1.14.2

• java.lang.Object
• • com.azure.identity.CredentialBuilderBase<T>
  • • com.azure.identity.AadCredentialBuilderBase<T>
    • • com.azure.identity.OnBehalfOfCredentialBuilder

public class OnBehalfOfCredentialBuilder
extends AadCredentialBuilderBase<OnBehalfOfCredentialBuilder>

Fluent credential builder for instantiating a OnBehalfOfCredential.

On Behalf of authentication in Azure is a way for a user or application to authenticate to a service or resource using credentials from another identity provider. This type of authentication is typically used when a user or application wants to access a resource in Azure, but their credentials are managed by a different identity provider, such as an on-premises Active Directory or a third-party identity provider. To use "On Behalf of" authentication in Azure, the user must first authenticate to the identity provider using their credentials. The identity provider then issues a security token that contains information about the user and their permissions. This security token is then passed to Azure, which uses it to authenticate the user or application and grant them access to the requested resource. The OnBehalfOfCredential acquires a token with a client secret/certificate and user assertion for a Microsoft Entra application on behalf of a user principal.

The following code sample demonstrates the creation of a OnBehalfOfCredential, using the OnBehalfOfCredentialBuilder to configure it. The tenantId, clientId and clientSecret parameters are required to create OnBehalfOfCredential. The userAssertion can be optionally specified on the OnBehalfOfCredentialBuilder. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

TokenCredential onBehalfOfCredential = new OnBehalfOfCredentialBuilder().clientId("<app-client-ID>")
     .clientSecret("<app-Client-Secret>")
     .tenantId("<app-tenant-ID>")
     .userAssertion("<user-assertion>")
     .build();

Constructor Summary

Constructor	Description
OnBehalfOfCredentialBuilder()	Constructs an instance of OnBehalfOfCredentialBuilder.

Method Summary

Modifier and Type	Method and Description
OnBehalfOfCredential	build() Creates a new OnBehalfOfCredential with the current configurations.
OnBehalfOfCredentialBuilder	clientAssertion(Supplier<String> clientAssertionSupplier) Sets the supplier containing the logic to supply the client assertion when invoked.
OnBehalfOfCredentialBuilder	clientCertificatePassword(String clientCertificatePassword) Sets the password of the client certificate for authenticating to Microsoft Entra ID.
OnBehalfOfCredentialBuilder	clientSecret(String clientSecret) Sets the client secret for the authentication.
OnBehalfOfCredentialBuilder	pemCertificate(String pemCertificatePath) Sets the path of the PEM certificate for authenticating to Microsoft Entra ID.
OnBehalfOfCredentialBuilder	pfxCertificate(String pfxCertificatePath) Sets the path and password of the PFX certificate for authenticating to Microsoft Entra ID.
OnBehalfOfCredentialBuilder	sendCertificateChain(boolean sendCertificateChain) Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request and enable subject name / issuer based authentication.
OnBehalfOfCredentialBuilder	tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions) Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default.
OnBehalfOfCredentialBuilder	userAssertion(String userAssertion) Configure the User Assertion Scope to be used for OnBehalfOf Authentication request.

Methods inherited from AadCredentialBuilderBase

additionallyAllowedTenants additionallyAllowedTenants authorityHost clientId disableInstanceDiscovery enableUnsafeSupportLogging executorService tenantId

Methods inherited from CredentialBuilderBase

addPolicy clientOptions configuration enableAccountIdentifierLogging httpClient httpLogOptions httpPipeline maxRetry pipeline proxyOptions retryOptions retryPolicy retryTimeout

Methods inherited from java.lang.Object

clone equals finalize getClass hashCode notify notifyAll toString wait wait wait

Constructor Details

OnBehalfOfCredentialBuilder

public OnBehalfOfCredentialBuilder()

Constructs an instance of OnBehalfOfCredentialBuilder.

Method Details

build

public OnBehalfOfCredential build()

Creates a new OnBehalfOfCredential with the current configurations.

Returns:

a OnBehalfOfCredential with the current configurations.

clientAssertion

public OnBehalfOfCredentialBuilder clientAssertion(Supplier clientAssertionSupplier)

Sets the supplier containing the logic to supply the client assertion when invoked.

Parameters:

clientAssertionSupplier - the supplier supplying client assertion.

Returns:

An updated instance of this builder.

clientCertificatePassword

public OnBehalfOfCredentialBuilder clientCertificatePassword(String clientCertificatePassword)

Sets the password of the client certificate for authenticating to Microsoft Entra ID.

Parameters:

clientCertificatePassword - the password protecting the certificate

Returns:

An updated instance of this builder.

clientSecret

public OnBehalfOfCredentialBuilder clientSecret(String clientSecret)

Sets the client secret for the authentication.

Parameters:

clientSecret - the secret value of the Microsoft Entra application.

Returns:

An updated instance of this builder.

pemCertificate

public OnBehalfOfCredentialBuilder pemCertificate(String pemCertificatePath)

Sets the path of the PEM certificate for authenticating to Microsoft Entra ID.

Parameters:

pemCertificatePath - the PEM file containing the certificate

Returns:

An updated instance of this builder.

pfxCertificate

public OnBehalfOfCredentialBuilder pfxCertificate(String pfxCertificatePath)

Sets the path and password of the PFX certificate for authenticating to Microsoft Entra ID.

Parameters:

pfxCertificatePath - the password protected PFX file containing the certificate

Returns:

An updated instance of this builder.

sendCertificateChain

public OnBehalfOfCredentialBuilder sendCertificateChain(boolean sendCertificateChain)

Specifies if the x5c claim (public key of the certificate) should be sent as part of the authentication request and enable subject name / issuer based authentication. The default value is false.

Parameters:

sendCertificateChain - the flag to indicate if certificate chain should be sent as part of authentication request.

Returns:

An updated instance of this builder.

tokenCachePersistenceOptions

public OnBehalfOfCredentialBuilder tokenCachePersistenceOptions(TokenCachePersistenceOptions tokenCachePersistenceOptions)

Configures the persistent shared token cache options and enables the persistent token cache which is disabled by default. If configured, the credential will store tokens in a cache persisted to the machine, protected to the current user, which can be shared by other credentials and processes.

Parameters:

tokenCachePersistenceOptions - the token cache configuration options

Returns:

An updated instance of this builder with the token cache options configured.

userAssertion

public OnBehalfOfCredentialBuilder userAssertion(String userAssertion)

Configure the User Assertion Scope to be used for OnBehalfOf Authentication request.

Parameters:

userAssertion - the user assertion access token to be used for On behalf Of authentication flow

Returns:

An updated instance of this builder with the user assertion scope configured.