azuread/msal-client-credentials
.github/skills/msal-client-credentials/SKILL.md
Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement
$ install --global
skillsauthnpx skillsauth add azuread/microsoft-authentication-library-for-dotnet msal-client-credentialsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 9:14 AM8.1s1 file scanned
SKILL.md
- name:
- msal-client-credentials
- description:
- Client Credentials Flow for service-to-service (daemon) authentication in MSAL.NET without user involvement
Client Credentials Flow Skill
Overview
Client Credentials Flow is used for service-to-service authentication without user involvement. Ideal for daemon applications and background services.
When to Use
- Service-to-service authentication
- Daemon/background applications
- Machine-to-machine communication
- No user context needed
- Automated processes
Flow Steps
- Service authenticates using client credentials (certificate or managed identity)
- Service directly calls authorization endpoint with credentials
- AAD validates credentials and returns access token
- Token cached and used to access APIs as application identity
Agent Actions
Generate Code Snippet
Agent can show code for each credential type:
- Standard Certificate: with-certificate.cs
- Certificate with SNI: with-certificate-sni.cs
- Federated Identity Credentials: with-federated-identity-credentials.cs
Setup Guidance
Reference appropriate credential setup:
- Certificate Setup
- Certificate with SNI
- Federated Identity Credentials
Example: Service with Certificate
// Acquire token for service-to-service authentication
public class TokenAcquisitionService
{
private readonly IConfidentialClientApplication _app;
public TokenAcquisitionService(string clientId, X509Certificate2 cert)
{
// For complete example with static token caching, see: with-certificate.cs
_app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithCertificate(cert)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}/v2.0")
.WithCacheOptions(CacheOptions.EnableSharedCacheOptions) // Enable static token caching
.Build();
}
public async Task<string> GetAccessTokenAsync()
{
var result = await _app.AcquireTokenForClient(
new[] { "resource-uri" })
.ExecuteAsync();
return result.AccessToken;
}
}
Error Resolution
Refer to Troubleshooting Guide
Best Practices
- Use Token Caching Strategies - enable static token caching with
.WithCacheOptions(CacheOptions.EnableSharedCacheOptions)for optimal performance - Implement Error Handling Patterns
- Monitor token acquisition using
AuthenticationResultMetadatafor cache hit ratios - Rotate certificates periodically (if using certificate-based auth)
- Use Federated Identity Credentials with Managed Identity for keyless authentication
- For additional caching options and strategies, see Token cache serialization documentation
Explain the Flow
- Credential Submission: Service authenticates directly with AAD using certificate or MI
- No User Involved: Authentication is machine-to-machine only
- Access Grant: AAD validates credentials and issues access token
- Token Caching: Token automatically cached for subsequent requests
- API Access: Token used to call downstream APIs as application identity
Decision Help
Choose Client Credentials if:
- Building daemon/background service
- Service-to-service authentication needed
- No user context involved
- Want simplest flow for automated processes
Avoid if:
- Need to access user-scoped resources
- User consent required
- Need refresh tokens for long-lived sessions
Related Skills
azuread/msal-auth-code-flow
tools
VerifiedTrustedCommunity
Authorization Code Flow for web applications using MSAL.NET confidential client to sign in users and access APIs on their behalf
1,493SKILL.mdUpdated Apr 15, 2026
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,764SKILL.mdUpdated Apr 10, 2026
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026