This sample illustrates how to use spring-cloud-azure-starter-active-directory package to work with OAuth 2.0 and OpenID Connect protocols on Azure. This sample will use Microsoft Graph API to retrieve user information.
- Search for and select your tenant in Microsoft Entra ID.
- Under Manage In the same tenant, select App registrations -> New registration.
- The registered application name is filled into
webapp, select Accounts in this organizational directory only, click the register button.
- Under webapp application, select Certificates & secrets -> new client secret, click the add button.(Remember to save the secrets here and use them later.)
- Under webapp application, select Authentication -> Add a platform, select web platform, redirect urls set to
http://localhost:8080/login/oauth2/code/, click configure button.
- Under webapp application, select API permissions -> Add a permission, select Microsoft Graph. Next, search
Directory.Read.Allvia select Permissions, check the check box, click add permissions button.(User.Readis created automatically, we need to keep it.)
- Similarly, add permission user_impersonation in Azure Service Management,
See Register app, Grant scoped permission for more information about web app.
In order to try the authorization action with this sample with minimum effort, configure the user and groups in Microsoft Entra ID, configure the user with group1.
If you want to use id_token for authorization, the appRoles feature of Microsoft Entra ID is supported which is presented in id_token's roles claim. By following below configurations, GrantedAuthority can be generated from roles claim.
Note:
- The
rolesclaim generated fromappRolesis decorated with prefixAPPROLE_. - When using
appRolesasrolesclaim, please avoid configuring group attribute asrolesat the same time. The latter will override the claim to contain group information instead ofappRoles. Below configuration in manifest should be avoided:"optionalClaims": { "idtoken": [{ "name": "groups", "additionalProperties": ["emit_as_roles"] }] }
Follow the guide to add app roles in your application.
- In this example you need to create following
appRolesin your application's manifest:"appRoles": [ { "allowedMemberTypes": [ "User" ], "displayName": "Admin", "id": "2fa848d0-8054-4e11-8c73-7af5f1171001", "isEnabled": true, "description": "Full admin access", "value": "Admin" } ] - After you've created the roles go to your Enterprise Application in Azure Portal, select "Users and groups" and assign the new roles to your Users (assignment of roles to groups is not available in the free tier of Microsoft Entra ID).
This is an optional configuration. This guide is for accessing Resource Server Obo. If you want to use webapp to access other resource server (for example, access Resource Server Obo or Resource Server or custom resource server), you can refer to this guide.
- First you need to complete config for resource server obo and make sure to expose the scope of
Obo.WebApiA.ExampleScope. - Select API permissions > Add a permission > My APIs, select Web API A application name.
- Delegated permissions is selected by default, Select Obo.WebApiA.ExampleScope permission, select Add permission to complete the process.
- Grant admin consent for Web API A permissions.
- Enable webapiA client in
application.yml.
# WebapiA is an optional client, we can access obo resource servers or the other custom server.
spring:
cloud:
azure:
active-directory:
enabled: true
credential:
client-id: ${AZURE_CLIENT_ID}
client-secret: ${AZURE_CLIENT_SECRET}
profile:
tenant-id: ${AZURE_TENANT_ID}
user-group:
allowed-group-names: <group1>,<group2>
allowed-group-ids: <group1-id>,<group2-id> # When 'all' is used, all group id can be obtained.
post-logout-redirect-uri: http://localhost:8080
authorization-clients:
arm:
on-demand: true
scopes: https://management.core.windows.net/user_impersonation
graph:
scopes:
- https://graph.microsoft.com/User.Read
- https://graph.microsoft.com/Directory.Read.All
# webapiA:
# scopes:
# - ${WEB_API_A_APP_ID_URL}/Obo.WebApiA.ExampleScope
# enable-full-list is used to control whether to list all group ids, default is false
# It's suggested the logged in user should at least belong to one of the above groups
# If not, the logged in user will not be able to access any authorization controller rest APIscd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application
mvn spring-boot:run
# Or use the below command to the Microsoft Entra conditional access filter.
mvn spring-boot:run -Dspring-boot.run.profiles=default,conditional-access- Access http://localhost:8080
- Login
- Access
Group1 Messagelink: success - Access
Group2 Messagelink: fail with forbidden error message - Access
Admin Messagelink: fail with forbidden error message - Access
Graph Clientlink: access token forMicrosoft Graphwill be acquired, and the content of customized OAuth2AuthorizedClient instance forMicrosoft Graphresource will be displayed. - Access
Arm Clientlink: page will be redirected to Consent page for on-demand authorization ofuser_impersonationpermission inAzure Service Managementresource. Clicking onConsent, access token forAzure Service Managementwill be acquired, the content of customized OAuth2AuthorizedClient instance forAzure Service Managementresource will be displayed. - Access
Obo Clientlink: access token forwebapiAwill be acquired, the success or failure of accessingwebapiAwill be displayed. - Access
Client Credential Clientlink: success.
In your application.yml file:
spring:
cloud:
azure:
active-directory:
enabled: true
profile:
tenant-id: ${AZURE_TENANT_ID}Meet with AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant error.
In Azure portal, app registration manifest page, configure oauth2AllowImplicitFlow in your application manifest to true. See this issue for details on this workaround.