Class OnBehalfOfCredential

Namespace: Azure.Identity

Assembly: Azure.Identity.dll

Enables authentication to Microsoft Entra ID using an On-Behalf-Of flow.

public class OnBehalfOfCredential : TokenCredential

Inheritance: object

OnBehalfOfCredential

Constructors

OnBehalfOfCredential()

Protected constructor for mocking.

protected OnBehalfOfCredential()

OnBehalfOfCredential(string, string, Func<string>, string, OnBehalfOfCredentialOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with the specified client assertion.

public OnBehalfOfCredential(string tenantId, string clientId, Func<string> clientAssertionCallback, string userAssertion, OnBehalfOfCredentialOptions options = null)

Parameters

tenantId string: The Microsoft Entra tenant (directory) ID of the service principal.
clientId string: The client (application) ID of the service principal
clientAssertionCallback Func<string>: A synchronous callback returning a valid client assertion used to authenticate the service principal.
userAssertion string: The access token that will be used by OnBehalfOfCredential as the user assertion when requesting On-Behalf-Of tokens.
options OnBehalfOfCredentialOptions: Options that allow to configure the management of the requests sent to Microsoft Entra ID.

OnBehalfOfCredential(string, string, Func<CancellationToken, Task<string>>, string, OnBehalfOfCredentialOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with the specified client assertion.

public OnBehalfOfCredential(string tenantId, string clientId, Func<CancellationToken, Task<string>> clientAssertionCallback, string userAssertion, OnBehalfOfCredentialOptions options = null)

Parameters

tenantId string: The Microsoft Entra tenant (directory) ID of the service principal.
clientId string: The client (application) ID of the service principal
clientAssertionCallback Func<CancellationToken, Task<string>>: An asynchronous callback returning a valid client assertion used to authenticate the service principal.
userAssertion string: The access token that will be used by OnBehalfOfCredential as the user assertion when requesting On-Behalf-Of tokens.
options OnBehalfOfCredentialOptions: Options that allow to configure the management of the requests sent to Microsoft Entra ID.

OnBehalfOfCredential(string, string, X509Certificate2, string)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

public OnBehalfOfCredential(string tenantId, string clientId, X509Certificate2 clientCertificate, string userAssertion)

Parameters

tenantId string: The Microsoft Entra tenant (directory) ID of the service principal.
clientId string: The client (application) ID of the service principal
clientCertificate X509Certificate2: The authentication X509 Certificate of the service principal
userAssertion string: The access token that will be used by OnBehalfOfCredential as the user assertion when requesting On-Behalf-Of tokens.

OnBehalfOfCredential(string, string, X509Certificate2, string, OnBehalfOfCredentialOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate against Microsoft Entra ID with the specified certificate.

public OnBehalfOfCredential(string tenantId, string clientId, X509Certificate2 clientCertificate, string userAssertion, OnBehalfOfCredentialOptions options)

Parameters

tenantId string: The Microsoft Entra tenant (directory) ID of the service principal.
clientId string: The client (application) ID of the service principal
clientCertificate X509Certificate2: The authentication X509 Certificate of the service principal
userAssertion string: The access token that will be used by OnBehalfOfCredential as the user assertion when requesting On-Behalf-Of tokens.
options OnBehalfOfCredentialOptions: Options that allow to configure the management of the requests sent to Microsoft Entra ID.

OnBehalfOfCredential(string, string, string, string)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate with Microsoft Entra ID.

public OnBehalfOfCredential(string tenantId, string clientId, string clientSecret, string userAssertion)

Parameters

tenantId string: The Microsoft Entra tenant (directory) ID of the service principal.
clientId string: The client (application) ID of the service principal
clientSecret string: A client secret that was generated for the App Registration used to authenticate the client.
userAssertion string: The access token that will be used by OnBehalfOfCredential as the user assertion when requesting On-Behalf-Of tokens.

OnBehalfOfCredential(string, string, string, string, OnBehalfOfCredentialOptions)

Creates an instance of the OnBehalfOfCredential with the details needed to authenticate with Microsoft Entra ID.

public OnBehalfOfCredential(string tenantId, string clientId, string clientSecret, string userAssertion, OnBehalfOfCredentialOptions options)

Parameters

tenantId string: The Microsoft Entra tenant (directory) ID of the service principal.
clientId string: The client (application) ID of the service principal
clientSecret string: A client secret that was generated for the App Registration used to authenticate the client.
userAssertion string: The access token that will be used by OnBehalfOfCredential as the user assertion when requesting On-Behalf-Of tokens.
options OnBehalfOfCredentialOptions: Options that allow to configure the management of the requests sent to Microsoft Entra ID.

Methods

GetToken(TokenRequestContext, CancellationToken)

Authenticates with Microsoft Entra ID and returns an access token if successful. Acquired tokens are cached by the credential instance. Token lifetime and refreshing is handled automatically. Where possible, reuse credential instances to optimize cache effectiveness.

public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)

Parameters

requestContext TokenRequestContext: The details of the authentication request.
cancellationToken CancellationToken: A CancellationToken controlling the request lifetime.

Returns

AccessToken: An Azure.Core.AccessToken which can be used to authenticate service client calls.

GetTokenAsync(TokenRequestContext, CancellationToken)

public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)

Parameters

requestContext TokenRequestContext: The details of the authentication request.
cancellationToken CancellationToken: A CancellationToken controlling the request lifetime.

Returns

ValueTask<AccessToken>: An Azure.Core.AccessToken which can be used to authenticate service client calls.

Table of Contents

Class OnBehalfOfCredential

Constructors

OnBehalfOfCredential()

OnBehalfOfCredential(string, string, Func<string>, string, OnBehalfOfCredentialOptions)

Parameters

OnBehalfOfCredential(string, string, Func<CancellationToken, Task<string>>, string, OnBehalfOfCredentialOptions)

Parameters

OnBehalfOfCredential(string, string, X509Certificate2, string)

Parameters

OnBehalfOfCredential(string, string, X509Certificate2, string, OnBehalfOfCredentialOptions)

Parameters

OnBehalfOfCredential(string, string, string, string)

Parameters

OnBehalfOfCredential(string, string, string, string, OnBehalfOfCredentialOptions)

Parameters

Methods

GetToken(TokenRequestContext, CancellationToken)

Parameters

Returns

GetTokenAsync(TokenRequestContext, CancellationToken)

Parameters

Returns