Supporting the On-Behalf-of flow with managed service identities

1.2k views Asked by At

A very common flow for applications running in Azure and App Services is the on-behalf-of flow where the app can exchange an incoming access token along with its ClientId/ClientSecret to get access to another resource as the user. Looking at the current, limited, docs on the MSI API, I only see getting an access token as the app itself.

How/when will the OBO scenario be supported?

I am aware that you could store the ClientId/ClientSecret in Key Vault and then use the MSI creds to retrieve those, but that seems redundant.

1

There are 1 answers

5
skwan On BEST ANSWER

MSI does not support the On Behalf Of flow yet, or other delegated confidential client OAuth 2.0 flows with Azure AD (like the auth code flow). It is in the design process, no ETA announced yet.