On behalf of

Module supports retrieval of tokens based on previously issued token. This is useful for testing of authentication flows in multi-tier apps:

• user authenticates against 1st tier with own credentials and passes resulting access token as authentication to 1st tier
• 1st tier uses user's access token an an authenticatior to ask for access token to 2nd tier

This is useful for testing of configuration of authentication flows in multi-tier apps.

Note: For detail on On-behalf-of flow, see MS docs

$myTenant = 'mydomain.com'
$myNativeClientId = '<enter appId of client app talking to 1st tier>'
$myFrontendScopes = 'https://mycompany.com/1stTierApp/.default'
$myFrontendAppId = '<enter appId of 1st tier app talking to 2nd tier>'
$myFrontendClientSecret = "<enter client secret of 1st tier app>"
$myBackendScopes = 'https://mycompany.com/2ndTierApp/.default'

#create named factory to get access token for frontend
New-AadAuthenticationFactory -Name Frontend -TenantId $myTenant -RequiredScopes $myFrontendScopes -ClientId $myNativeClientId -AuthMode Interactive
#get access token for frontend app. You can reference factory by name
$frontendAppToken = Get-AadToken -Factory Frontend
#observe claims in access token for frontend app
$frontendAppToken.AccessToken | Test-AadToken -PayloadOnly
#observe claims in Id token for native client app
$frontendAppToken.IdToken | Test-AadToken -PayloadOnly

#create factory to retrieve token as frontend app on behalf of user
#Note: app has to present its client secret/certificate to get on-behalf-of token
New-AadAuthenticationFactory -TenantId $myTenant -RequiredScopes $myBackendScopes -ClientId $myFrontendAppId -ClientSecret $myFrontendClientSecret -name Backend
#retrieve access token
$backendAppToken = Get-AadToken -Factory Backend -UserToken $frontendAppToken.AccessToken
#observe claims in access token for backend app
$backendAppToken.AccessToken | Test-AadToken -PayloadOnly
#observe claims in Id token for frontend app
$backendAppToken.IdToken | Test-AadToken -PayloadOnly