# On-Behalf-Of Flow (OBO)
Used for scenarios where one API needs to call another API on behalf of the user, most often called a Service-to-Service (STS) scenario.

- Token Exchange: Involves exchanging an access token for another access token to call downstream APIs on behalf of the user.
- Security: Ensures secure token handling and appropriate scoping for each service.


Flow Steps:
```css
Client ----> [Authorization Endpoint] ----> (Step 1: Get access_token-for-API_A)
Client ----> [API A] ----> (Step 2: Call API A with access_token-for-API_A)
API A ----> [Authorization Endpoint] ----> (Step 3: Get access_token-for-API_B using the first access_token)
API A ----> [API B] ----> (Step 5: Call API B with access_token-for-API_B)
```

In [None]:
import sys
sys.path.append('../')
import OAuth2_Flows
import pyperclip

### Required Variables Setup
Below we are setting up our variables.

In [None]:
#variables
tenant_id = ''
client_id = ''
scope = 'openid email profile offline_access https://graph.microsoft.com/.default'
response_mode = 'fragment' #'form_post'

The **`assertion`** here will be the `access_token` issued to the middle tier API, this would be API A on the Flow Steps above:

In [None]:
assertion = input('Enter the assertion (access_token): ')

This is the client secret of your application:

In [None]:
client_secret = input('Enter the client secret: ')

Note that you should only be getting back an access_token but I left the others for experimentation.

In [None]:
access_token, refresh_token, id_token = OAuth2_Flows.on_behalf_of_flow(tenant_id, client_id, assertion, scope, client_secret)

In [None]:
print(f'Access Token: {access_token}')
print(f'Refresh Token: {refresh_token}')
print(f'ID Token: {id_token}')

---     

# SAML Token request
If you are working with an API that requires a SAML token, OBO supports that. You have to use the `requested_token_type` with one of the following two values (depending on the application's requirement):
- `tf:params:oauth:token-type:saml2`
- `urn:ietf:params:oauth:token-type:saml1`

The request would be very similar to the one above, except it includes this new parameter:

In [None]:
requested_token_type = 'tf:params:oauth:token-type:saml2'
access_token, refresh_token, id_token = OAuth2_Flows.on_behalf_of_flow(tenant_id, client_id, assertion, scope, client_secret, requested_token_type=requested_token_type)