The On-Behalf-Of flow is used in the case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate user identity and permissions through the request chain.
At this point, the application has an access token for API A( token A) with the user’s claim and consent to access the middle-tier web API (API A). Now the API A needs to make an authenticated request to the downstream web API （API B).
Now, I’d like to create web application that will retrieve the user’s profile from Microsoft Graph.
1 App Registration
There is no significant difference between previous post but with additional steps.
Certificates & secrets
In the left pane of application, select the Certificates & secrets. Then you have two options to identify you web application. Now, we choose client secret approach. Keep in mind of secret value, it will be reused in the configuration and it’s no longer visible in a short while.
Make sure your application has Microsoft.Graph’s User.Read permission(It’s default).
If not, click Add a permission button. Select Microsoft Graph icon in the popup page. Then select Delegated permission type for you permission.
After clicking Add permissions, don’t forget to grant admin consent for your tenant.
2 Code configuration
Create an empty MVC web application and modify the appsettings.json file.
Pay attention to the ClientSecret key and DownstreamApi section.
Modify the Startup.cs file
You need to install Microsoft.Identity.Web.MicrosoftGraph package firstly.
Install-Package Microsoft.Identity.Web.MicrosoftGraph -version 0.4.0-preview
GraphServiceClient takes most responsibilities of work. It will be injected by the runtime.
Hit the Debug button or press F5 key, run this application. you will see this as follow.