Introduction
In modern applications, users often delegate access to APIs or services through authentication mechanisms. The On-Behalf-Of (OBO) token is a security feature that allows a service to request access to another service on behalf of a user, using an already authenticated token. This is especially useful in multi-tier applications where a backend service needs to access another protected resource on behalf of an end user.
How Does the On-Behalf-Of Flow Work?
The On-Behalf-Of (OBO) flow is commonly implemented using OAuth 2.0 and OpenID Connect (OIDC). The key concept is that a service can obtain an access token for another service, using the user’s existing authentication.
The typical OBO token flow involves:
- User Authentication: The user logs in to the frontend application and receives an access token.
- Frontend Calls Backend: The front end sends this access token while making a request to the backend.
- Backend Requests a New Token: The backend, instead of using the original token directly, exchanges it for a new OBO token by calling an Identity Provider (IdP) like Azure AD, Auth0, or Okta.
- Backend Uses OBO Token: The backend uses the OBO token to access another downstream service securely.
Real-Time Scenario: Multi-Tier Web Application
Let's consider a corporate dashboard application where users access company data stored in a secured API via a backend service.
Scenario:
- A user logs into the dashboard (frontend) using their corporate credentials.
- The frontend retrieves an access token from the authentication provider (e.g., Azure AD).
- The frontend calls the backend API, sending the access token.
- The backend does not have direct access to the user’s corporate data API, so it uses the OBO flow:
- It exchanges the user’s token for an OBO token.
- The OBO token is then used to request data from the corporate data API securely.
- The corporate data API validates the OBO token and returns the requested data.
- The backend sends the data to the frontend for display.
How to Implement OBO in Azure AD?
Many modern identity providers support the OBO flow. Below is an example of implementing it with Azure Active Directory (Azure AD) using Microsoft Identity Platform.
Step 1. Configure API Permissions in Azure AD
- Register both frontend and backend applications in Azure AD.
- Assign the necessary API permissions for the backend to access the downstream API.
Step 2. Acquire an Access Token in the Frontend
When a user logs in to the frontend application, obtain an access token:
const token = await msalInstance.acquireTokenSilent({
scopes: ["api://backend/.default"]
});
Step 3. Exchange Token for an OBO Token in the Backend
The backend needs to exchange the token for an OBO token:
var tokenRequest = new OnBehalfOfTokenRequest()
{
ClientId = "backend-client-id",
ClientSecret = "backend-client-secret",
UserToken = userAccessToken,
Scope = "https://corporate-api/.default"
};
var oboToken = await AuthenticationProvider.AcquireOnBehalfOfTokenAsync(tokenRequest);
Step 4. Use the OBO Token to Call the API
Once the backend gets the OBO token, it can use it to call the corporate API:
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", oboToken);
var response = await httpClient.GetAsync("https://corporate-api/data");
Benefits of Using On-Behalf-Of Tokens
- Security: The backend does not use the user’s original token, reducing exposure to security risks.
- Granular Access Control: APIs can define permissions based on backend roles rather than direct user access.
- Scalability: Enables microservices and multi-tier applications to securely access downstream services without sharing user credentials.
Conclusion
The On-Behalf-Of (OBO) token flow is a powerful method for securely delegating access in multi-tier applications. By implementing OBO in OAuth 2.0, developers can enhance security, maintain compliance, and ensure a seamless user experience while accessing downstream services on behalf of users.