azure-spring-boot-samples
azure-spring-boot-samples copied to clipboard
Azure-Samples
[QUERY] Example for MSAL / spring-cloud-azure-dependencies
Query/Question Will there be an example with MSAL / spring-cloud-azure-dependencies for authenticate-using-private-key-jwt?
Why is this not a Bug or a feature Request? Example for spring boot oauth2 is working.
Setup (please complete the following information if applicable):
- OS: -
- IDE: -
- Sample Path: https://github.com/Azure-Samples/azure-spring-boot-samples/tree/spring-cloud-azure_v4.3.0/aad/spring-security/servlet/oauth2/login-authenticate-using-private-key-jwt
- Library/Libraries: com.azure.spring:spring-cloud-azure-dependencies, com.azure.spring:spring-cloud-azure-starter-active-directory, com.microsoft.azure:msal4j
Information Checklist
- [ ] Query Added
- [ ] Setup information Added
Hi @hniehaus-nlb , thanks for using it!
we will provide a new sample project using the client method private-key-jwt soon.
The following is a temporary simple guide for you.
-
Setup the projects aad-web-application(webapp), aad-resource-server-obo(webapiA), aad-resource-server(webapiB), start these samples. After successfully login in, please call the URL
Obo Clienthttp://localhost:8080/webapp/webapiA/webapiB, then thewebapiAwill use the default client authentication methodclient_secret_basicand access resourcewebapiB. -
As you found, you can follow this guide login-authenticate-using-private-key-jwt to prepare the certs, and upload it to your applications
webappandwebapiAin Azure AD. -
Update
webappconfiguration, and make thewebapplogin and access the resourcewebapiAvia certificate authentication.
spring:
cloud:
azure:
active-directory:
enabled: true
credential:
client-id: <client id is still required>
# client-secret: <client-secret is required if you access a non-certificate-authenticated resource or application, such has `graph` client.>
client-certificate-path: <your local cert path, such as c:\xxx.pfx>
client-certificate-password: <your local cert password>
profile:
tenant-id: <tenant id is still required>
user-group:
allowed-group-names: group1,group2
allowed-group-ids: all # When 'all' is used, all group id can be obtained.
post-logout-redirect-uri: http://localhost:8080
authorization-clients:
azure:
client-authentication-method: private_key_jwt
webapiA: # This is used to demonstrate on-behalf-of function. Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
client-authentication-method: private_key_jwt
scopes:
- api://webapia/Obo.WebApiA.ExampleScope
- Update the
wenapiAconfiguration, and make thewebapiAaccess the resourcewebapiBvia certificate authentication.
server:
port: 8081
spring:
cloud:
azure:
active-directory:
enabled: true
credential:
client-id: <client id is still required>
client-certificate-path: <your local cert path, such as c:\xxx.pfx>
client-certificate-password: <your local cert password>
profile:
tenant-id: <tenant id is still required>
app-id-uri: api://webapia
authorization-clients:
webapiB: # When authorization-grant-type is null, on behalf of flow is used by default
authorization-grant-type: on_behalf_of
client-authentication-method: private_key_jwt
scopes:
- api://webapib/WebApiB.ExampleScope
- Re-start these samples. After successfully login in, call the URL
Obo Clienthttp://localhost:8080/webapp/webapiA/webapiB again, then thewebappwill return data from the resourcewebapiB, there's no client secret configured for clientwebappandwebapiA.
Hi @moarychan , thanks for the update and example. Just today I found the guide you mentioned, too. That was my missing link ;-)
Sorry, this was my missing link: https://github.com/moarychan/azure-sdk-for-java/wiki/JWT-Client-Authentication-support-design-for-Spring-Cloud-Azure-AD
HI @hniehaus-nlb , I am closing this issue since no further comments added, if you have any questions please reopen this one or create a new issue, thanks!