azure-spring-boot/azure-spring-boot-samples/azure-active-directory-spri...
weiping c14e9d3610
Aad faq (#378)
* ignore bin directory

* add faq
2018-07-03 15:47:45 +08:00
..
src/main remove unnecessary bean definition (#363) 2018-06-22 15:11:10 +08:00
README.md Aad faq (#378) 2018-07-03 15:47:45 +08:00
pom.xml auto configure OAuth2UserService for oauth2 with spring security 5 (#356) 2018-06-12 10:01:43 +08:00

README.md

How to configure

Register your application with your Azure Active Directory Tenant

Follow the guide here.

Configure groups for sign in user

In order to try the authorization action with this sample with minimum effort, configure the user and groups in Azure Active Directory, configure the user with group1.

Configure application.properties

spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx

azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
# It's suggested the logged in user should at least belong to one of the below groups
# If not, the logged in user will not be able to access any authorization controller rest APIs
azure.activedirectory.active-directory-groups=group1, group2

How to run

  • Use Maven

    # Under azure-spring-boot project root directory
    mvn clean install -DskipTests
    cd azure-spring-boot-samples
    cd azure-active-directory-spring-boot-backend-sample
    mvn spring-boot:run
    

Check the authentication and authorization

  1. Access http://localhost:8080
  2. Login
  3. Access group1 Message link, should success
  4. Access group2 Message link, should fail with forbidden error message

Want to take full control over every configuration property

If you want to adjust the configuration properties according to certain requirements, try below application.properties and change accordingly.

spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
spring.security.oauth2.client.registration.azure.client-name=Azure
spring.security.oauth2.client.registration.azure.provider=azure-oauth-provider
spring.security.oauth2.client.registration.azure.scope=openid, https://graph.microsoft.com/user.read
spring.security.oauth2.client.registration.azure.redirect-uri-template={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.azure.client-authentication-method=basic
spring.security.oauth2.client.registration.azure.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.azure-oauth-provider.authorization-uri=https://login.microsoftonline.com/common/oauth2/authorize
spring.security.oauth2.client.provider.azure-oauth-provider.token-uri=https://login.microsoftonline.com/common/oauth2/token
spring.security.oauth2.client.provider.azure-oauth-provider.user-info-uri=https://login.microsoftonline.com/common/openid/userinfo
spring.security.oauth2.client.provider.azure-oauth-provider.jwk-set-uri=https://login.microsoftonline.com/common/discovery/keys
spring.security.oauth2.client.provider.azure-oauth-provider.user-name-attribute=name

azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
azure.activedirectory.active-directory-groups=group1, group2

FAQ

If registered application is not multi-tananted, how to run this sample?

In this auto-configuration, by default /common is used for the tenant value. According to Active Directory Sign In Request format, if your application is not multi-tenanted, you have to configure a tenant specific authorization endpoints.

Configure endpoints with specific tenant-id by replacing common in your application.properties file:

spring.security.oauth2.client.provider.azure-oauth-provider.authorization-uri=https://login.microsoftonline.com/{your-tenant-id}/oauth2/authorize
spring.security.oauth2.client.provider.azure-oauth-provider.token-uri=https://login.microsoftonline.com/{your-tenant-id}/oauth2/token
spring.security.oauth2.client.provider.azure-oauth-provider.user-info-uri=https://login.microsoftonline.com/{your-tenant-id}/openid/userinfo
spring.security.oauth2.client.provider.azure-oauth-provider.jwk-set-uri=https://login.microsoftonline.com/{your-tenant-id}/discovery/keys

Meet with AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant error.

In Azure portal, app registration manifest page, configure oauth2AllowImplicitFlow in your application manifest to true.