Document differences between On-Behalf-Of flow token requests

[PSanetra]

Regarding the Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow documentation:

The section Middle-tier access token request enumerates two possible ways two request an access token:

1. request with shared secret
2. request with a certificate.

The section is not mentioning any functional differences between both requests. In fact both descriptions of the assertion parameter are exactly the same.

This assumption is wrong: On a request with a certificate the assertion parameter MUST be an app-only token. It can not be a user token. See error code AADSTS700229

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 1d91ee0b-7926-c0ad-aca2-48958c81acf3
• Version Independent ID: 9fa490aa-49e4-8034-83c2-d6c8517834da
• Content: Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft identity platform
• Content Source: docs/identity-platform/v2-oauth2-on-behalf-of-flow.md
• Service: identity-platform
• GitHub Login: @OwenRichards1
• Microsoft Alias: owenrichards

[PesalaPavan]

@PSanetra Thanks for your feedback! We will investigate and update as appropriate.

[AjayBathini-MSFT]

@PSanetra Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly.