name	msal-client-credentials
description	Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement
tags	["msal","client-credentials","daemon","service-to-service","confidential-client","background-service","machine-to-machine"]

Client Credentials Flow Skill

Overview

Client Credentials Flow is used for service-to-service authentication without user involvement. Ideal for daemon applications and background services.

When to Use

Service-to-service authentication
Daemon/background applications
Machine-to-machine communication
No user context needed
Automated processes

Flow Steps

Service authenticates using client credentials (certificate or managed identity)
Service directly calls authorization endpoint with credentials
AAD validates credentials and returns access token
Token cached and used to access APIs as application identity

Agent Actions

Generate Code Snippet

Agent can show code for each credential type:

Standard Certificate: with-certificate.cs
Certificate with SNI: with-certificate-sni.cs
Federated Identity Credentials: with-federated-identity-credentials.cs

Setup Guidance

Reference appropriate credential setup:

Example: Service with Certificate

// Acquire token for service-to-service authentication
public class TokenAcquisitionService
{
    private readonly IConfidentialClientApplication _app;

    public TokenAcquisitionService(string clientId, X509Certificate2 cert)
    {
        // For complete example with static token caching, see: with-certificate.cs
        _app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithCertificate(cert)
            .WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
            .WithCacheOptions(CacheOptions.EnableSharedCacheOptions)  // Enable static token caching
            .Build();
    }

    public async Task<string> GetAccessTokenAsync()
    {
        var result = await _app.AcquireTokenForClient(
            new[] { "resource-uri" })
            .ExecuteAsync();

        return result.AccessToken;
    }
}

Error Resolution

Refer to Troubleshooting Guide

Best Practices

Use Token Caching Strategies - enable static token caching with .WithCacheOptions(CacheOptions.EnableSharedCacheOptions) for optimal performance
Implement Error Handling Patterns
Monitor token acquisition using AuthenticationResultMetadata for cache hit ratios
Rotate certificates periodically (if using certificate-based auth)
Use Federated Identity Credentials with Managed Identity for keyless authentication
For additional caching options and strategies, see Token cache serialization documentation

Explain the Flow

Credential Submission: Service authenticates directly with AAD using certificate or MI
No User Involved: Authentication is machine-to-machine only
Access Grant: AAD validates credentials and issues access token
Token Caching: Token automatically cached for subsequent requests
API Access: Token used to call downstream APIs as application identity

Decision Help

Choose Client Credentials if:

Building daemon/background service
Service-to-service authentication needed
No user context involved
Want simplest flow for automated processes

Avoid if:

Need to access user-scoped resources
User consent required
Need refresh tokens for long-lived sessions

name	msal-client-credentials
description	Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement
tags	["msal","client-credentials","daemon","service-to-service","confidential-client","background-service","machine-to-machine"]

Client Credentials Flow Skill

Overview

Client Credentials Flow is used for service-to-service authentication without user involvement. Ideal for daemon applications and background services.

When to Use

Service-to-service authentication
Daemon/background applications
Machine-to-machine communication
No user context needed
Automated processes

Flow Steps

Service authenticates using client credentials (certificate or managed identity)
Service directly calls authorization endpoint with credentials
AAD validates credentials and returns access token
Token cached and used to access APIs as application identity

Agent Actions

Generate Code Snippet

Agent can show code for each credential type:

Standard Certificate: with-certificate.cs
Certificate with SNI: with-certificate-sni.cs
Federated Identity Credentials: with-federated-identity-credentials.cs

Setup Guidance

Reference appropriate credential setup:

Example: Service with Certificate

// Acquire token for service-to-service authentication
public class TokenAcquisitionService
{
    private readonly IConfidentialClientApplication _app;

    public TokenAcquisitionService(string clientId, X509Certificate2 cert)
    {
        // For complete example with static token caching, see: with-certificate.cs
        _app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithCertificate(cert)
            .WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
            .WithCacheOptions(CacheOptions.EnableSharedCacheOptions)  // Enable static token caching
            .Build();
    }

    public async Task<string> GetAccessTokenAsync()
    {
        var result = await _app.AcquireTokenForClient(
            new[] { "resource-uri" })
            .ExecuteAsync();

        return result.AccessToken;
    }
}

Error Resolution

Refer to Troubleshooting Guide

Best Practices

Use Token Caching Strategies - enable static token caching with .WithCacheOptions(CacheOptions.EnableSharedCacheOptions) for optimal performance
Implement Error Handling Patterns
Monitor token acquisition using AuthenticationResultMetadata for cache hit ratios
Rotate certificates periodically (if using certificate-based auth)
Use Federated Identity Credentials with Managed Identity for keyless authentication
For additional caching options and strategies, see Token cache serialization documentation

Explain the Flow

Credential Submission: Service authenticates directly with AAD using certificate or MI
No User Involved: Authentication is machine-to-machine only
Access Grant: AAD validates credentials and issues access token
Token Caching: Token automatically cached for subsequent requests
API Access: Token used to call downstream APIs as application identity

Decision Help

Choose Client Credentials if:

Building daemon/background service
Service-to-service authentication needed
No user context involved
Want simplest flow for automated processes

Avoid if:

Need to access user-scoped resources
User consent required
Need refresh tokens for long-lived sessions

msal-client-credentials

Client Credentials Flow Skill

Overview

When to Use

Flow Steps

Agent Actions

Generate Code Snippet

Setup Guidance

Example: Service with Certificate

Error Resolution

Best Practices

Explain the Flow

Decision Help

Mehr aus diesem Repository

Mehr aus diesem Repository

Client Credentials Flow Skill

Overview

When to Use

Flow Steps

Agent Actions

Generate Code Snippet

Setup Guidance

Example: Service with Certificate

Error Resolution

Best Practices

Explain the Flow

Decision Help