CODEWITHSUNDEEP
spring-bootspring-securityoauth-2.0azure-active-directory
aha
aha

Reputation: 3759

Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD

I want to add Azure AD as an OAuth2 provider in Spring Boot 2.4. I followed Spring Boot's OAuth2 docs and came up with the following configuration:

spring.security.oauth2.client.provider.azuread.issuer-uri=https://login.microsoftonline.com/<tenant uuid>/v2.0
spring.security.oauth2.client.registration.azuread.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.azuread.client-id=<client uuid>
spring.security.oauth2.client.registration.azuread.client-name=Azure AD
spring.security.oauth2.client.registration.azuread.client-secret=<client secret>
spring.security.oauth2.client.registration.azuread.provider=azuread
spring.security.oauth2.client.registration.azuread.scope=openid

Just for completeness, this is my web security configuration:

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .authorizeRequests(a -> a
                .antMatchers("/", "/login", "/error", "/webjars/**").permitAll()
                .anyRequest().authenticated()
            )
            .oauth2Login();
        // @formatter:on
    }
}

When coming back from entering the credentials on https://login.microsoftonline.com, I get the following error:

[invalid_id_token] An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found.

The problem originates in DefaultJWTProcessor.java from Nimus-JOSE-JWT.

Looking through the requests in Firefox's network inspector, Spring Boot picks up the right URLs from the Issuer URI. I'm at a loss what's going wrong and appreciate any pointers.

Upvotes: 4

Views: 24547

Answers (3)

Gary Archer
Gary Archer

Reputation: 29243

Azure AD has some unusualdefault behaviour - I think this is what you are experiencing:

YOUR PROBLEM CAUSE (I THINK)

  • You are using standard OpenID Connect scopes
  • This causes Azure AD to issue an access token intended for the Graph API
  • This token fails standards based validation in Custom APIs since it is only designed for Graph APIs to use - it is recognisable by the nonce field in the JWT header

WHAT YOU NEED TO DO

  • Expose an API scope such as 'myscope' and use that in your SPA
  • Use the full URN based value of this scope in your web client
  • You will then get a custom OAuth token that Spring can validate - with no nonce field in the JWT header

See my blog post from a couple of years ago for something to compare against.

Upvotes: 4

Batman Rises
Batman Rises

Reputation: 766

Ref - Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication Example
For Spring Boot 3 application had to follow the below steps-
Configure Azure AD(Entra Id) to

  1. Create User
  2. Create Enterprise Application with Role.
  3. Assign the user the role enter image description here

Then create a spring boot application with the OAuth2 and Azure AD dependency. In this application.properties specify the following

spring.application.name=ad
spring.cloud.azure.active-directory.enabled=true
spring.cloud.azure.active-directory.profile.tenant-id=tenant-id
spring.cloud.azure.active-directory.credential.client-id=client-id
spring.cloud.azure.active-directory.credential.client-secret=client-secret

If we now start the application and try to access the endpoint we get the Microsoft login page. enter image description here

Enter the credentials for the created user. We will then be able to access the endpoint.

Upvotes: 0

bilak
bilak

Reputation: 4932

I had a similar problem and if I remember correctly there was an issue with scope. Don't know whether this is also your issue but in any case following configuration is working for me (note I'm using client credentials not auth code):

spring:
  security:
    oauth2:
      client:
        provider:
          azure:
            token-uri: https://login.microsoftonline.com/${custom.azure.account.tenant-id}/oauth2/token
        registration:
          azure:
            client-id: ${custom.azure.service-principal.client-id}
            client-secret: ${custom.azure.service-principal.client-secret}
            authorization-grant-type: client_credentials
            scope:
              - https://graph.microsoft.com/.default

Upvotes: 0

Related Questions