I am using Azure AD access token instead of default openID connect server (keycloak) to protect the backend REST API. Could you please let me know if i need to make any changes for AuidenceValidator class under package security.oauth2.
Application flow:
UI(React JS) will access the Spring boot API by passing access token.
Please take a look at the ms-identity-java-webapi sample. The msal-obo-sample shows how to validate an access token acquired by MSAL using Spring Security. You will be interested specifically in AADClaimsVerifier and SecurityResourceServerConfig
Related
I have been tasked with integrating Azure Active Directory Authorization into one of our applications and have tried out some of the samples with relative success.
I have a Javascript SPA application (GoogleWebToolkit) that communicates with a Spring REST (not Boot) API. The Rest API is currently secured with Spring Security and login URL username/password etc.
I want to change this to use Azure OAuth2.
Being new to OAuth2 I'm trying to figure out if I should be using either of the following Spring options.
With this option all the configuration is done at the server side, client id,secret
If I do a href from the SPA front end to 'oauth2/authorization/AzureAD' URL, its sends a redirect to the Azure Login page, allows authentication and redirects back to what redirect URL I enter into the Azure AD console configuration. This works to a degree but trying to extract the token and pass it back is not working so far.
http.oauth2Login()
.clientRegistrationRepository(clientRegistrationRepository())
.authorizedClientService(authorizedClientService())
.authorizationEndpoint()
.authorizationRequestResolver(
new CustomAuthorizationRequestResolver(
clientRegistrationRepository(),
#Bean
public ClientRegistration clientRegistration() {
ClientRegistration.Builder builder = ClientRegistration.withRegistrationId("AzureAD");
builder.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST);
builder.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
........................
or
I haven't fully tried this option yet, but I think it involves doing the authorization directly from the SPA javascript front end, put all the values for the client id/secret into the javascript FE etc, and then passing the once acquired token via the Auth header for validation by the server side. Like at https://www.baeldung.com/spring-security-oauth-jwt
.oauth2ResourceServer()
.jwt()
.jwkSetUri("https://login.microsoftonline.com/common/discovery/v2.0/keys");
Could someone confirm where I should be using Option 1 or 2, and if I am understanding things properly?
Your understanding is correct in option 2. As per above scenario, let’s consider Front End Application which is Single Page Application (Java Script) to be OAuth Client App to orchestrate the process of obtaining access token and then grant access to resources from Spring back-end application.
So, here client Application need to be registered in Azure AD to acquire the access token secured by Azure AD.
We recommended MSAL libraries which helps to acquire tokens from the Microsoft identity platform and handle token in many ways to authenticate users and access secured web APIs.
Both the applications (front end and back end) need to register in Azure AD based on the scenario.
Update client-id, tenant-id, redirect URI to front end application configuration file based on application registration in Azure AD.
Back-end application also need to be registered in Azure Ad to secure by Microsoft Identity which can then define the delegated permissions(scopes) your API exposes.
Then business logic needs to add in back-end application to determine what is allowed or prohibited based on these scopes in access token.
To authorize the client request in Spring application:
Users will start by authenticating with a username and password in front end application.
Once authenticated, the client will receive a JWT representing an access token.
The client will include the access token in the authorization header of every request to a secure endpoint.
The resource server will validate the access token and determine if it has the right permissions, using the information within the token.
In this case, Spring serves as resource server and not acquiring any token in the back-end application .
Security Configuration in Spring provides numerous methods to add filters to the HTTP request to authenticate each request.
Here,
http.cors() will allows Cross-Origin Resource Sharing (CORS) checks to succeed.
All the requests need to authenticate before passing to the application(controllers).
Spring application serve as a resource server and authentication should be provided via JWT access tokens and further validate the roles and scopes in the application’s controller using #AllowedRoles annotation.
Our JWT access tokens are signed by Azure AD and application should check if their signature is correct. Azure AD has an endpoint with the public key to do so, which need to configure in spring application.
Also, as mentioned, we will need access token to call the protected back-end application because contents of the token are intended for the resource (back-end API) to perform authentication and authorization.
To validate the token, you can search the keys endpoint in the discovery document and then provide this JSON web key (JWK) endpoint straight away where JWK URI can be found.
# application.properties
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://login.windows.net/common/discovery/keys
Note: The flow would be same to get the access token while integrating with Azure AD. i.e in Spring boot or in spring.
I need a solution for accessing Microsoft graph api with a token which never expires for a multitenant application.
I am using frontend as react and backend as lambda function.
Actual requirement
Need to connect Microsoft app (which will give access to graph api's) with project where same auth will be used by multiple users, same authentication should work until it revoked.
Take OAuth 2.0 auth code grant as an example.
Currently, access token lifetime cannot be configured to be permanent.
Therefore,You can Request an access token
and you can Refresh the access token when it expired.
Following this article : https://cuteprogramming.wordpress.com/2019/01/02/authenticate-an-azure-function-with-azure-active-directory/. I have created an Azure AD Secured Azure Function using a an Azure AD Application (defined by a client id, issuer url, client secret, ..)
But I do not have any idea how to call it from my reactjs code
Do I have to perform to 2 successive http calls : one to get the access token and then a second one to reach my azure function as described in the postman example (in the above article) ?
In this case, the details of the Azure AD Application (client id, secret id,...) can be retrieved from the js code using the browser developer tool and can be then used by anyone to access my azure function. Is it really secure or do I miss something ?
How can I call my azure function from my react application in a secure way (I want my azure function to be only accessible by my react application) ?
Thanks
If you want to access Azure function app projected by Azure AD in react application, please refer to the following steps
Integrate Azure AD auth in your react application with Implicit grant flow. After doing that, when users access your application, they need to enter their AD account to get access token
Client exchanges this accessToken for an 'App Service Token'. It does this by making a POST to https://{app}.azurewebsites.net/.auth/login/aad with the content { "access_token" : "{token from Facebook}" }. This will return back an authenticationToken
Use that authenticationToken in a header named x-zumo-auth. Make all requests to your function app using that header.
For more details, please refer to here. Besides, regarding how to integrate Azure AD, please refer to the sample and here
I'm working on Azure Cosmos DB Feed changer Function. My requirement is in the feed changer function I need to access Web API using AAD authentication.
How should I configure the connection between the Azure Function and Web API using AAD so that the azure function can send the change feed to Web API?
How can I call the Web API in the function code?
Thank You,
Dheeraj
Based on your requirements, I suggest you using MSI(Managed Service Identity) in your azure function app.
You could create an identity here.
Then search the identity in AAD Enterprise Application list,you could find the permissions of it.
Then please refer to this document to obtain the access token and call your web api which is using AAD authentication with that token.
In addition, you could store the secret in Azure Key Vault and get the access token from AKV to call your web api. It support you to manage multiply permissions.
More details ,please refer to this link:https://blogs.msdn.microsoft.com/benjaminperkins/2018/06/13/using-managed-service-identity-msi-with-and-azure-app-service-or-an-azure-function/
On my initial analysis on the fetching the access token from Azure AD using OpenID connect protocol, I came to know that there are two ways to consider
Fetching access token using the signed in user's context where caching is used.
Fetching access token using application context.
Can anyone help me to know which needs to be consider with some example code.
Fetching access token using the signed in user's context where caching is used.
OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.
Please refer to code sample :Calling a web API in a web app using Azure AD and OpenID Connect ,this sample uses the OpenID Connect ASP.Net OWIN middleware and ADAL .Net. In controller , you could get access token for specific resource using the signed in user's context :
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID));
ClientCredential credential = new ClientCredential(clientId, appKey);
result = await authContext.AcquireTokenSilentAsync(todoListResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
Fetching access token using application context.
What do you mean by "application context" ? If you are talking about OAuth 2.0 Client Credentials Grant Flow , which permits a web service (confidential client) to use its own credentials instead of impersonating a user, to authenticate when calling another web service. You could refer to this scenario explanation and code samples .
To fetch an access token to the graph API, you need to:
redirect the user to the Azure authorization endpoint (https://login.microsoftonline.com/common/oauth2/v2.0/authorize),
to get back an authorization token,
that you need to provide Azure with, on the access token endpoint (https://login.microsoftonline.com/common/oauth2/v2.0/token), with your application credentials.
Finally, you can provide this access token to the userinfo endpoint on the graph API: https://graph.microsoft.com/v1.0/me
with some example code
I've written a sample code, but it depends totally on the language, environment and OIDC library you are using. In case you are using Java in a servlet environment with the MIT implementation of OIDC (MITREid Connect), my example to access the Microsoft graph API by means of OIDC on Azure is available on GitHub here: https://github.com/AlexandreFenyo/mitreid-azure