I am migrating a NodeJS APP from ADAL to MSAL authentication. I am using API acquireTokenByClientCredintial
for a PublicClientApplication
but I am not able to get the Report. If I use ConfidentialClientApplication
it is working fine. Want to know whether there is any reason behind this or Am I missing anything. Is there any alternative API for service principal authentication in MSAL ?
The acquireTokenByClientCredential() function uses the client credentials flow behind the scenes.
The client credentials flow uses performs an app-only authentication, i.e., there is no user context involved.
To perform the app-only authentication, you need to use a client secret or a client assertion, which means that your client should be secured enough to keep this client secret/client assertion - your client should be a confidential client.
That is why the acquireTokenByClientCredential() function is only available for the ConfidentialClientApplication.
You can read more about it here:
Confidential client applications are apps that run on servers (web apps, web API apps, or even service/daemon apps). They're considered difficult to access, and for that reason can keep an application secret. Confidential clients can hold configuration-time secrets. Each instance of the client has a distinct configuration (including client ID and client secret). These values are difficult for end users to extract. A web app is the most common confidential client. The client ID is exposed through the web browser, but the secret is passed only in the back channel and never directly exposed.
Public client applications are apps that run on devices or desktop computers or in a web browser. They're not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. (They support only public client flows.) Public clients can't hold configuration-time secrets, so they don't have client secrets.
Check the available methods for the PublicClientApplication and for the ConfidentialClientApplication.