Reputation: 11
Possible option to integrate Azure AD authentication with existing Java based web application hosted in aws?
We have mobile application backend running in AWS. Backend build using Java spring front end supported for native iOS, native Android and angular js based website, it has own authentication using email id and password. Now we are planning to integrate our app authentication with our organisation Active directory which available in Azure AD.
We have outline idea about Azure portal application creation, use ADAL library to get token from azure. But we are not clear about how we can validate token at web service side. Could you please enlighten us about integration process
Upvotes: 1
Views: 389
Answers (1)
Reputation: 1193
Unfortunately, Azure AD doesn't have great guidance on securing a web API in Java at this time. However, taking the open-source approach isn't terribly difficult in this case.
Azure AD's access tokens are JWTs, which are essentially just base64 encoded JSON strings with a signature. jwt.io has compiled a nice list of open-source libraries that can be used to validate JWTs (some libraries for generating them too, fyi). The best reference material available at this time is:
- The claims listed in this token reference article where necessary (ignore the comment about id_tokens only, that's incorrect).
- The OpenID Connect spec also has some good tidbits on how to validate tokens. You should also make sure to validate the
scopeclaim, which won't be mentioned there. - This code sample shows how to take this approach, but it's in .NET. You can follow its patterns for Java.
The hardest part will be robustly fetching, caching, and refreshing the Azure AD public signing keys, making sure your app can handle key rollover. Microsoft's .NET open source library, for instance, refreshes the keys every 24 hours and refreshes them immediately any time signature validation fails. Most JWT libraries won't do that for you. The signing keys are available via Azure AD's OpenID Connect metadata endpoint,
https://login.microsoftonline.com/<tenant-or-common>/.well-known/openid-configuration
The OpenID Connect spec also has information on the format of the data available there.
Upvotes: 2
Related Questions
- B2C support for Java Web Application authentication
- Active Directory Password connection using JDBC(Java)
- Authenticate to an Azure API App from Java
- onprem machines to Azure Active Directory so we can access ActiveDirectoryMSI authentication as well as IMDS SERVER
- Web Application Authentication for Azure AD using Android ADAL
- Authenticate the user on Azure AD using ADAL library from Android native app
- Doubts regarding On-Premise Active Directory
- Using Azure AD for customer authentication
- Accessing Azure Active Directory with username and password
- ADAL java support for authentication via user credentials