Reputation: 1
Spring Security against Azure OIDC OAuth2 Flow
The real question, I could have asked, why am I only getting an id_token in my response to the authorization endpoint? And, probably best created in an azure stackoverflow space.
For context, the original question was more about customization strategy. Which, further research determined was not necassary.
I've been reading through the OAuth2/OIDC features of the Spring Security Reference Guide - 5.7 OAuth 2.0 Login, 31. OAuth 2.0 Login — Advanced Configuration, and the github OAuth2 Login Samples trying to figure out how to extend or create a custom implementation for Microsofts Azure OIDC API - Authorize access to web applications using OpenID Connect and Azure Active Directory.
These are observations. And generally, what I’ve seen based on my experiment and what I believe to be true based on the spring security behavior and the Microsoft Understanding OpenID Connect Protocol guide documentation.
Azure’s sign in request against the /authorization endpoint has 3 additional nuances to their sign-in request that are currently not supported in the Spring Security 5 code base.
- “response_type” – The Microsoft OIDC API allows id_token or id_token+code … Spring Security supports “code” or “token” OOTB. (id_token gets you the id_toke, id_token+code will get you id_toke and code. The code you can exchange for an access token.
- “response_mode” – The Microsoft OIDC API recommends use of response_mode=form_post … This is not supported OOTB Spring Security.
- “nonce” – The Microsoft OIDC API recommends use of nonce=[unique_value] … This is not supported OOTB Spring Security.
I've created a fork to see what enhancements would be needed to support the above. I believe they would be.
spring-security-oauth2-core
OAuth2AuthorizationResponseType - to include additional types.
OAuth2AuthoriztionRequest - to include support for nonce and responseMode
oauth2-client
OAuth2AuthoriationRequestRedirectFilter
OAuth2AuthorizationRequestUriBuilder
And a mechanism to auto configure the appropriate options.
The changes to support these parameters at first glance appears to be trivial. However, the classes in spring security are final and thus the extension is much bigger.
Anyone have any advice on a customization strategy? What would be the recommended approach to creating a customized configuration to support the nuances without replicating the code base?
Upvotes: 0
Views: 1617
Answers (1)
Reputation: 1
With juunas clue ... I realized my issues were related to the fact I had not created api scope when I registered my application in the azure b2c blade. Thus, the issue was not the spring security configuration. But, a result of the missing scope.
Incidentally, the Get Access Token section in Microsoft Understanding OpenID Connect Protocol guide states, "... By including permission scopes in the request and using response_type=code+id_token, the authorize endpoint ensures that the user has consented to the permissions indicated in the scope query parameter, and return your app an authorization code to exchange for an access token."
Per juunas, this happens when response_type=code as well. –
Upvotes: 0
Related Questions
- Spring native support for OIDC workflow
- Spring Security OAuth2 client_credentials flow only
- Spring Security and OpenID Connect (OIDC)
- Spring Boot 2.0.0 + OAuth2
- Spring Boot OAuth2 and Azure AD
- Spring Security Microsoft Oauth2 Login Errors
- Spring Security Oauth2 for Azure Active directory
- Spring OAuth security - Implicit flow
- SpringBoot 1.5.x + Security + OAuth2
- Azure AD and Spring Security with Oauth 2