Support for On-Behalf Flow with Managed Service Identifiers

Question

Support for On-Behalf Flow with Managed Service Identifiers

A very common thread for applications running on Azure and App Services is on behalf of the user, where the application can exchange an incoming access token with its ClientId / ClientSecret to access another resource as a user. Looking at current, limited documents in the MSI API, I only see getting the access token as the application itself.

How / when will the OBO script be supported?

I know that you can store ClientId / ClientSecret in Key Vault and then use MSI credits to get them, but that seems redundant.

+5

azure azure-active-directory azure-msi

Oren Novotny 15 sept. '17 at 3:05

source share

1 answer

skwan · Accepted Answer · 2017-09-16T00:15:28+0000

MSI does not yet support the On Behalf Of stream, or another OAuth 2.0 delegated confidential client flows with Azure AD (for example, an authentication code stream). This is a design process that has not yet been announced by ETA.

Support for On-Behalf Flow with Managed Service Identifiers

More articles: