ConfidentialClientApplication Class

Definition

Class to be used for confidential client applications (web apps, web APIs, and daemon applications).

public sealed class ConfidentialClientApplication : Microsoft.Identity.Client.ClientApplicationBase, Microsoft.Identity.Client.IByRefreshToken, Microsoft.Identity.Client.IByUsernameAndPassword, Microsoft.Identity.Client.IConfidentialClientApplication, Microsoft.Identity.Client.IConfidentialClientApplicationWithCertificate, Microsoft.Identity.Client.ILongRunningWebApi
type ConfidentialClientApplication = class
    inherit ClientApplicationBase
    interface IConfidentialClientApplication
    interface IClientApplicationBase
    interface IApplicationBase
    interface IConfidentialClientApplicationWithCertificate
    interface IByRefreshToken
    interface ILongRunningWebApi
    interface IByUsernameAndPassword
Public NotInheritable Class ConfidentialClientApplication
Inherits ClientApplicationBase
Implements IByRefreshToken, IByUsernameAndPassword, IConfidentialClientApplication, IConfidentialClientApplicationWithCertificate, ILongRunningWebApi
Inheritance
ConfidentialClientApplication
Implements

Remarks

Confidential client applications are typically applications which run on servers (web apps, web API, or even service/daemon applications). They are considered difficult to access, and therefore capable of keeping an application secret (hold configuration time secrets as these values would be difficult for end users to extract). A web app is the most common confidential client. The clientId is exposed through the web browser, but the secret is passed only in the back channel and never directly exposed. For details see https://aka.ms/msal-net-client-applications

Constructors

ConfidentialClientApplication(String, String, ClientCredential, TokenCache, TokenCache)
Obsolete.

[V2 API] Constructor for a confidential client application requesting tokens with the default authority (Microsoft.Identity.Client.ApplicationBase.DefaultAuthority)

ConfidentialClientApplication(String, String, String, ClientCredential, TokenCache, TokenCache)
Obsolete.

[V2 API] Constructor for a confidential client application requesting tokens with a specified authority

Fields

AttemptRegionDiscovery

Instructs MSAL to try to auto discover the Azure region.

Properties

AppConfig

Details on the configuration of the ClientApplication for debugging purposes.

(Inherited from ClientApplicationBase)
AppTokenCache

Application token cache. This case holds access tokens for the application. It's maintained and updated silently if needed when calling AcquireTokenForClient(IEnumerable<String>)

Authority

Gets the URL of the authority, or security token service (STS) from which MSAL.NET will acquire security tokens The return value of this property is either the value provided by the developer in the constructor of the application, or otherwise the value of the Microsoft.Identity.Client.ApplicationBase.DefaultAuthority static member (that is https://login.microsoftonline.com/common/)

(Inherited from ClientApplicationBase)
Certificate

The certificate used to create this ConfidentialClientApplication, if any.

ClientId
Obsolete.

Gets the Client ID (also known as Application ID) of the application as registered in the application registration portal (https://aka.ms/msal-net-register-app) and as passed in the constructor of the application

(Inherited from ClientApplicationBase)
Component
Obsolete.

Identifier of the component (libraries/SDK) consuming MSAL.NET. This will allow for disambiguation between MSAL usage by the app vs MSAL usage by component libraries.

(Inherited from ClientApplicationBase)
RedirectUri
Obsolete.

The redirect URI (also known as Reply URI or Reply URL), is the URI at which Azure AD will contact back the application with the tokens. This redirect URI needs to be registered in the app registration (https://aka.ms/msal-net-register-app). In MSAL.NET, PublicClientApplication define the following default RedirectUri values:

  • https://login.microsoftonline.com/common/oauth2/nativeclient for desktop (.NET Framework and .NET Core) applications
  • msal{ClientId} for Xamarin iOS and Xamarin Android (as this will be used by the system web browser by default on these platforms to call back the application)
These default URIs could change in the future. In Microsoft.Identity.Client.ConfidentialClientApplication, this can be the URL of the web application / web API. (Inherited from ClientApplicationBase)
SliceParameters
Obsolete.

Sets or Gets a custom query parameters that may be sent to the STS for dogfood testing or debugging. This is a string of segments of the form key=value separated by an ampersand character. Unless requested otherwise, this parameter should not be set by application developers as it may have adverse effect on the application.

(Inherited from ClientApplicationBase)
Users
Obsolete.

In MSAL 1.x returned an enumeration of IUser. From MSAL 2.x, use GetAccountsAsync() instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from ClientApplicationBase)
UserTokenCache

User token cache. It holds access tokens, id tokens and refresh tokens for accounts. It's used and updated silently if needed when calling AcquireTokenSilent(IEnumerable<String>, IAccount) or one of the overrides of AcquireTokenSilent(IEnumerable<String>, IAccount). It is updated by each AcquireTokenXXX method, with the exception of AcquireTokenForClient which only uses the application cache (see IConfidentialClientApplication).

(Inherited from ClientApplicationBase)
ValidateAuthority
Obsolete.

Gets/sets a boolean value telling the application if the authority needs to be verified against a list of known authorities. The default value is true. It should currently be set to false for Azure AD B2C authorities as those are customer specific (a list of known B2C authorities cannot be maintained by MSAL.NET). This property can be set just after the construction of the application and before an operation acquiring a token or interacting with the STS.

(Inherited from ClientApplicationBase)

Methods

AcquireTokenByAuthorizationCode(IEnumerable<String>, String)

Acquires a security token from the authority configured in the app using the authorization code previously received from the STS. It uses the OAuth 2.0 authorization code flow (See https://aka.ms/msal-net-authorization-code). It's usually used in web apps (for instance ASP.NET / ASP.NET Core web apps) which sign-in users, and can request an authorization code. This method does not lookup the token cache, but stores the result in it, so it can be looked up using other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount).

AcquireTokenByAuthorizationCodeAsync(String, IEnumerable<String>)
Obsolete.

[V2 API] Acquires a security token from the authority configured in the app using the authorization code previously received from the STS. It uses the OAuth 2.0 authorization code flow (See https://aka.ms/msal-net-authorization-code). It's usually used in web apps (for instance ASP.NET / ASP.NET Core web apps) which sign-in users, and therefore receive an authorization code. This method does not lookup the token cache, but stores the result in it, so it can be looked up using other methods such as AcquireTokenSilentAsync(IEnumerable<String>, IAccount).

AcquireTokenForClient(IEnumerable<String>)

Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user) using the client credentials flow. See https://aka.ms/msal-net-client-credentials.

AcquireTokenForClientAsync(IEnumerable<String>, Boolean)
Obsolete.

[V2 API] Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user) using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)

AcquireTokenForClientAsync(IEnumerable<String>)
Obsolete.

[V3 API] Acquires a token from the authority configured in the app, for the confidential client itself (in the name of no user) using the client credentials flow. (See https://aka.ms/msal-net-client-credentials)

AcquireTokenInLongRunningProcess(IEnumerable<String>, String)

Retrieves an access token from the cache using the provided cache key that can be used to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. See Long-running OBO in MSAL.NET. Use to stop the long running process and remove the associated tokens from the cache.

AcquireTokenOnBehalfOf(IEnumerable<String>, UserAssertion)

Acquires an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. See https://aka.ms/msal-net-on-behalf-of. This confidential client application was itself called with a token which will be provided in the userAssertion parameter.

AcquireTokenOnBehalfOfAsync(IEnumerable<String>, UserAssertion, String)
Obsolete.

[V2 API] Acquires an access token for this application (usually a web API) from a specific authority, in order to access another downstream protected web API on behalf of a user (See https://aka.ms/msal-net-on-behalf-of). This confidential client application was itself called with a token which will be provided in the userAssertion parameter.

AcquireTokenOnBehalfOfAsync(IEnumerable<String>, UserAssertion)
Obsolete.

[V2 API] Acquires an access token for this application (usually a web API) from the authority configured in the application, in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of). This confidential client application was itself called with a token which will be provided in the userAssertion parameter.

AcquireTokenSilent(IEnumerable<String>, IAccount)

[V3 API] Attempts to acquire an access token for the account from the user token cache. See https://aka.ms/msal-net-acquiretokensilent for more details

(Inherited from ClientApplicationBase)
AcquireTokenSilent(IEnumerable<String>, String)

[V3 API] Attempts to acquire an access token for the IAccount having the Username match the given loginHint, from the user token cache. See https://aka.ms/msal-net-acquiretokensilent for more details

(Inherited from ClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount, String, Boolean)
Obsolete.

[V2 API] Attempts to acquire an access token for the account from the user token cache, with advanced parameters controlling network call.

(Inherited from ClientApplicationBase)
AcquireTokenSilentAsync(IEnumerable<String>, IAccount)
Obsolete.

[V2 API] Attempts to acquire an access token for the account from the user token cache.

(Inherited from ClientApplicationBase)
GetAccountAsync(String, CancellationToken)

Get the IAccount by its identifier among the accounts available in the token cache.

(Inherited from ClientApplicationBase)
GetAccountAsync(String)

Get the IAccount by its identifier among the accounts available in the token cache.

(Inherited from ClientApplicationBase)
GetAccountsAsync()

Returns all the available accounts in the user token cache for the application.

(Inherited from ClientApplicationBase)
GetAccountsAsync(CancellationToken)

Returns all the available accounts in the user token cache for the application.

(Inherited from ClientApplicationBase)
GetAccountsAsync(String, CancellationToken)

Get the IAccount collection by its identifier among the accounts available in the token cache, based on the user flow. This is for Azure AD B2C scenarios.

(Inherited from ClientApplicationBase)
GetAccountsAsync(String)

Get the IAccount collection by its identifier among the accounts available in the token cache, based on the user flow. This is for Azure AD B2C scenarios.

(Inherited from ClientApplicationBase)
GetAuthorizationRequestUrl(IEnumerable<String>)

Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in the user's name. The URL targets the /authorize endpoint of the authority configured in the application. This override enables you to specify a login hint and extra query parameter.

GetAuthorizationRequestUrlAsync(IEnumerable<String>, String, String, String, IEnumerable<String>, String)
Obsolete.

[V2 API] Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in the user's name. The URL targets the /authorize endpoint of the authority specified as the authority parameter. This override enables you to specify a redirectUri, login hint extra query parameters, extra scope to consent (which are not for the same resource as the scopes), and an authority.

GetAuthorizationRequestUrlAsync(IEnumerable<String>, String, String)
Obsolete.

[V2 API] Computes the URL of the authorization request letting the user sign-in and consent to the application accessing specific scopes in the user's name. The URL targets the /authorize endpoint of the authority configured in the application. This override enables you to specify a login hint and extra query parameter.

GetUser(String)
Obsolete.

In MSAL 1.x, return a user from its identifier. From MSAL 2.x, use GetAccountsAsync() instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from ClientApplicationBase)
InitiateLongRunningProcessInWebApi(IEnumerable<String>, String, String)

Acquires an access token for this web API from the authority configured in the application, in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. See Long-running OBO in MSAL.NET. Pass an access token (not an ID token) which was used to call this confidential client application in the userToken parameter. Use to stop the long running process and remove the associated tokens from the cache.

Remove(IUser)
Obsolete.

In MSAL 1.x removed a user from the cache. From MSAL 2.x, use RemoveAsync(IAccount) instead. See https://aka.ms/msal-net-2-released for more details.

(Inherited from ClientApplicationBase)
RemoveAsync(IAccount, CancellationToken)

Removes all tokens in the cache for the specified account.

(Inherited from ClientApplicationBase)
RemoveAsync(IAccount)

Removes all tokens in the cache for the specified account.

(Inherited from ClientApplicationBase)
StopLongRunningProcessInWebApiAsync(String, CancellationToken)

Stops an in-progress long-running on-behalf-of session by removing the tokens associated with the provided cache key. See Long-running OBO in MSAL.NET.

Explicit Interface Implementations

IByRefreshToken.AcquireTokenByRefreshToken(IEnumerable<String>, String)
IByRefreshToken.AcquireTokenByRefreshTokenAsync(IEnumerable<String>, String)
Obsolete.

Acquires an access token from an existing refresh token and stores it and the refresh token into the application user token cache, where it will be available for further AcquireTokenSilentAsync calls. This method can be used in migration to MSAL from ADAL v2 and in various integration scenarios where you have a RefreshToken available. (see https://aka.ms/msal-net-migration-adal2-msal2)

IByUsernameAndPassword.AcquireTokenByUsernamePassword(IEnumerable<String>, String, String)

Acquires a token without user interaction using username and password authentication. This method does not look in the token cache, but stores the result in it. Before calling this method, use other methods such as AcquireTokenSilent(IEnumerable<String>, IAccount) to check the token cache.

IConfidentialClientApplicationWithCertificate.AcquireTokenForClientWithCertificateAsync(IEnumerable<String>, Boolean)
Obsolete.

[V2 API] Acquires token from the service for the confidential client using the client credentials flow. (See https://aka.ms/msal-net-client-credentials) This method attempts to look up valid access token in the cache unlessforceRefresh is true This method enables application developers to achieve easy certificate roll-over in Azure AD: this method will send the public certificate to Azure AD along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy. This saves the application admin from the need to explicitly manage the certificate rollover (either via portal or PowerShell/CLI operation)

IConfidentialClientApplicationWithCertificate.AcquireTokenForClientWithCertificateAsync(IEnumerable<String>)
Obsolete.

[V2 API] Acquires token from the service for the confidential client using the client credentials flow. (See https://aka.ms/msal-net-client-credentials) This method enables application developers to achieve easy certificate roll-over in Azure AD: this method will send the public certificate to Azure AD along with the token request, so that Azure AD can use it to validate the subject name based on a trusted issuer policy. This saves the application admin from the need to explicitly manage the certificate rollover (either via portal or PowerShell/CLI operation)

IConfidentialClientApplicationWithCertificate.AcquireTokenOnBehalfOfWithCertificateAsync(IEnumerable<String>, UserAssertion, String)
Obsolete.

[V2 API] Acquires an access token for this application (usually a web API) from a specific authority, in order to access another downstream protected web API on behalf of a user (See https://aka.ms/msal-net-on-behalf-of). This confidential client application was itself called with a token which will be provided in the This override sends the certificate, which helps certificate rotation in Azure AD userAssertion parameter.

IConfidentialClientApplicationWithCertificate.AcquireTokenOnBehalfOfWithCertificateAsync(IEnumerable<String>, UserAssertion)
Obsolete.

[V2 API] Acquires an access token for this application (usually a web API) from the authority configured in the application, in order to access another downstream protected web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. (See https://aka.ms/msal-net-on-behalf-of). This confidential client application was itself called with a token which will be provided in the userAssertion parameter. This override sends the certificate, which helps certificate rotation in Azure AD

Extension Methods

StopLongRunningProcessInWebApiAsync(ILongRunningWebApi, String, CancellationToken)

Stops an in-progress long-running on-behalf-of session by removing the tokens associated with the provided cache key. See Long-running OBO in MSAL.NET.

GetCertificate(IConfidentialClientApplication)

Returns the certificate used to create this ConfidentialClientApplication, if any.

Applies to