OnBehalfOf implementation

Author: rayluo

msal/application.py

@@ -639,6 +639,17 @@ def acquire_token_for_client(self, scopes, **kwargs):
                 scope=scopes,  # This grant flow requires no scope decoration
                 **kwargs)
 
-    def acquire_token_on_behalf_of(self, user_assertion, scopes, authority=None):
-        raise NotImplementedError()
+    def acquire_token_on_behalf_of(
+            self, user_assertion, scope, authority=None, policy=''):
+        the_authority = Authority(authority) if authority else self.authority
+        return oauth2.Client(
+            self.client_id, token_endpoint=the_authority.token_endpoint,
+            default_body=self._build_auth_parameters(
+                self.client_credential, the_authority.token_endpoint,
+                self.client_id)
+            )._get_token(  # TODO: Avoid using internal methods
+                "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                assertion=user_assertion, requested_token_use='on_behalf_of',
+                scope=scope,  # This grant flow requires no scope decoration???
+                query={'p': policy} if policy else None)
 

tests/test_application.py

@@ -194,3 +194,12 @@ def test_acquire_token_silent(self):
         self.assertNotEqual(None, at)
         self.assertEqual(self.access_token, at.get('access_token'))
 
+    def test_acquire_token_obo(self):
+        token = self.app.acquire_token_on_behalf_of(
+            self.token['access_token'], self.scope2)
+        error_description = token.get('error_description', "")
+        if 'grant is not supported by this API version' in error_description:
+            raise unittest.SkipTest(
+                "OBO is not yet supported by service: %s" % error_description)
+        self.assertEqual(error_description, "")
+