JWT and Azure AD to secure Spring Boot Rest API

Question

I have a Spring Boot Rest Api with JWT integration. Currently from Postman, I make a POST request to authenticate endpoint, including username and password, and obtain an access token. But can Azure AD be used along with JWT, instead of hardcoded user details ?

Answer 1

When you obtain token with username and password, that bases on Resource Owner Password Credentials flow. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows.

I'm not sure what you mean about Azure AD with JWT.

If you would like to obtain access token with a signed-in user(not hardcoded user details), auth code flow is better for you. You could also request an access token in Postman.

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

client_id=xxx
&scope=https://graph.microsoft.com/mail.read
&code=<authorization_code from "/authorize" endpoint>
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code

If you would like to obtain access token without users, you could use client credentials flow. In the client credentials flow, permissions are granted directly to the application itself by an administrator, so you must use application permissions.

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

client_id=xxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxx
&grant_type=client_credentials