# Authentication flow for Service Principal using OAuth2 Client Credentials

## Store credentials for SPN A

```{mermaid}
sequenceDiagram
    actor Admin
    participant Secret Client (SPN A)
    participant Entra
    participant DQ API (SPN B)
    participant Database


    Admin ->> Entra: Request access token for DQ API
    Entra ->> Entra: Can this user access DQ API?
    Entra ->> Admin: Access token for DQ API
    Admin ->> DQ API (SPN B): This is the secret for SPN A
    DQ API (SPN B) ->> Database: Store secret for SPN A
    
```

## Client credential flow (using stored credentials)

```{mermaid}
sequenceDiagram
    participant Secret Client (SPN A)
    participant Entra
    participant DQ API (SPN B)
    participant Database
    participant Databricks
    
    Secret Client (SPN A) ->> Entra: Request access token for DQ API <br> using client ID and secret
    Entra ->> Entra: Can this user access DQ API?
    Entra ->> Secret Client (SPN A): Access token for DQ API
    Secret Client (SPN A) ->> DQ API (SPN B): Access token for DQ API

    DQ API (SPN B) ->> Database: Request client secret for SPN A
    Database ->> DQ API (SPN B): Client secret SPN A

    DQ API (SPN B) ->> Entra: Request access token for Databricks, <br/>providing token client ID and secret for SPN A
    Entra ->> DQ API (SPN B): Access token for Databricks for SPN A
    DQ API (SPN B) ->> Databricks: Request data using access token using credentials for SPN A
    Databricks ->> DQ API (SPN B): Data from Databricks API
```