Skip to content

Consume internal API on behalf of an employee

This how-to guides you through the steps required to consume an API secured with Entra ID on behalf of an employee:

  1. Configure your application
  2. Acquire token from Entra ID
  3. Consume the API using the token

Prerequisites

Configure your application

Depending on how you communicate with the API you're consuming, configure the appropriate outbound access policies.

Use webproxy for outbound network connectivity from on-premises environments

If you're on-premises, you must enable and use webproxy to access Entra ID.

Acquire token

Exchange the employees subject token for a new token targeting the API that you want to consume:

Token request
POST ${AZURE_OPENID_CONFIG_TOKEN_ENDPOINT} HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&client_id=${AZURE_APP_CLIENT_ID}
&client_secret=${AZURE_APP_CLIENT_SECRET}
&assertion=<subject_token>
&scope=api://<cluster>.<namespace>.<other-api-app-name>/.default
&requested_token_use=on_behalf_of
Successful response
{
  "access_token" : "eyJ0eX[...]",
  "expires_in" : 3599,
  ...
}

Your application does not need to validate this token.

Token Caching

The expires_in field denotes the lifetime of the token in seconds.

Cache and reuse the token until it expires to minimize network latency impact.

A safe cache key for client credentials tokens is key = sha256($subject_token + $scope).

Consume API

Once you have acquired the token, you can finally consume the target API.

Use the token in the Authorization header as a Bearer token:

GET /resource HTTP/1.1

Host: api.example.com
Authorization: Bearer eyJraWQ...

📚 Entra ID reference