DEV Community

Using Spring Security with Azure Active Directory

Julien Dubois on September 09, 2019

Why use Active Directory? Let's be honnest, Active Directory isn't "cool" today. People see it has very complex, which is true - but sec...
Collapse
 
ikwattro profile image
Christophe Willemsen • Edited

Thanks for this wonderful blog post Julien. We had to check the ID Tokens here

img

in order to have the full integration working. Without that it was throwing the following exception :

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant.\r\nTrace ID: 5c2df3b6-23d6-44b8-8c3d-37c6777d6000\r\nCorrelation ID: a5c7ee8d-90da-457d-8e3c-739faadfeed5\r\nTimestamp: 2019-09-10 08:35:44Z","error":"invalid_request"}
Enter fullscreen mode Exit fullscreen mode
Collapse
 
jdubois profile image
Julien Dubois

Thanks Christophe!! Yes you are totally correct! I don't understand, I remember perfectly well to have put this in my article, but it doesn't show up. Let me correct this ASAP!!!

Collapse
 
jdubois profile image
Julien Dubois

It's fixed, thanks again Christophe!

Collapse
 
wimdeblauwe profile image
Wim Deblauwe

Is it correct to state that this only works because the default role in Azure AD is 'User' and in Spring it is 'ROLE_USER' ? What if I create a 'ROLE_ADMIN' in my Spring Boot app? Do I need to use Azure AD Premium P1 or P2 to be able to do that? Or is it possible in the free version as well?

Collapse
 
jdubois profile image
Julien Dubois

Oh yes, this works because we have the same roles, and I also think that those can only be modified in the premium tier, at least for now. I'm not an expert in those tiers, so I can't tell you if there's a trick to do it for free.

Collapse
 
joshuaoh profile image
YOH • Edited

Declaring app roles using Azure portal for free

docs.microsoft.com/en-us/azure/act...

stackoverflow.com/questions/556090...

Collapse
 
cowinr profile image
Richard Cowin

I'd love to see how you get on with configuring access to your app when it's deployed to Azure App Service and using a non-localhost domain over HTTPS. That's where I encountered issues trying to configure the reply URL as per dev.to/cowinr/setting-up-spring-se...

Interesting to see your note "The current Spring Boot starter does not work with single tenants, which is an issue being currently addressed." I set mine up as a single tenant registration and it worked after a fashion. Perhaps I'll have better luck configuring as a multi-tenant registration.

Collapse
 
fokkog profile image
Fokko Groenenboom

I'm late to this party, but I was following the above walkthrough last weekend including a deploy to Azure App Service. Locally it worked from the get-go whereas in the cloud I got the exact same AADSTS50011 error, due to a mismatch between http (suggested) vs https (registered) reply URL's.
Apparently this is a well-known issue due to the fact that in the cloud, the Spring Boot application (running on http) is proxied by IIS (running on https). See also Running Behind a Front-end Proxy Server and Deploy Your Spring Boot Application to Azure. The suggested addition of this snippet to application.yaml solved it for me:

server:
  forward-headers-strategy: FRAMEWORK
Collapse
 
jdubois profile image
Julien Dubois

Thanks! For single tenant there seems to be a separate documentation, I need to work on it, I don't understand why it should be a different configuration from Spring Boot

Collapse
 
motolola profile image
Motolola

After following this simple configuration for my Spring boot system, I just keep getting this error,
Still trying to figure out why.

java.lang.IllegalStateException: Error processing condition on org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2WebSecurityConfiguration.authorizedClientRepository
at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:60) ~[spring-boot-autoconfigure-2.2.2.RELEASE.jar:2.2.2.RELEASE]

Collapse
 
livefreesuman profile image
Suman Mitra

In a client-directed-flow I want to write a custom identity provider where I would like to use my service account. Iam writing a spring service and from there I would like to signs a service account to be validated against AAD to get the token. I want to avoid the popup. Is it possible?

Collapse
 
jdubois profile image
Julien Dubois

In that case, you are not authenticating using the client's credentials, so showing the popup doesn't make any sense, am I correct? Also, having everybody use a service account looks like a big security issue - for instance, you won't be able to audit what people did, and also everybody will have the same permissions. And service accounts usually have higher privileges than normal user accounts. Are you sure this is a good idea?
Anyway, if this is correct, this would work like a usual OAuth2 flow between two applications: you need to store the secret token somewhere secured (Azure Key Vault?), and then you can use it to access whatever service you need. There's no need to have a login popup for this.

Collapse
 
ivan86to profile image
Ivan

Thanks for the tutorial. Is it possible to use this tutorial on JHipster 6.5.1?

Collapse
 
jdubois profile image
Julien Dubois

Thanks! I haven't tried it, but there shouldn't be any difference from using start.spring.io, so yes it should work the same. You'll need to tweak the SecurityConfiguration class probably - have a look at the OICD option, it should be pretty close to what you need. Oh, and please send an update if you succeed! Maybe a tip on jhipster.tech/tips/ ?

Collapse
 
ivan86to profile image
Ivan • Edited

Hello Julien,
in my git repository i have published a JHipster 6.5.1 Project with the
implementation of Login by Azure Active Directory.

Function: Login / Logout

When and if you have time you can review the code!
Thanks a lot for this tutorial!

This is the link github.com/ivan86to/jhipster-ad-azure

Thread Thread
 
jdubois profile image
Julien Dubois

Thanks a lot!! This should be a new security option in JHipster, we need to automate this. Would you be interested in contributing this? It's mostly a matter of transforming your existing code into templates. Or at the minimum this should be in our tips section.

Collapse
 
ivan86to profile image
Ivan

Ok, login work success with less modifications :)
But the Logout resource not work because
this.registration.getProviderDetails().getConfigurationMetadata()
.get("end_session_endpoint") return null.
I try to fix this problem
Tnk!

Collapse
 
shrabangit profile image
shraban-git • Edited

Hi. I tried this . It's working fine, if I enter localhost:8080 in browser. But if I try with ui(angular get request to 8080). It error with cors issue. Already tried with spring security cors. Also in angular with header cors. Nothing worked. Redirection is not working.from ui login azure not opening error cors. Href is working. But again we need to redirect to angular. Is there any solution.

Collapse
 
kowshikns profile image
kowshikns • Edited

Exactly what I wanted. Thanks a mill for this article.
Could help me creating one simple postman request ( example 1. Create Login/ 2. an API with Authorization Token) please.I am stuck at this point.
Thanks

Collapse
 
jdubois profile image
Julien Dubois

Thanks @kowshikns !
I have never used Postman with AAD, but I have found this documentation that looks correct: github.com/MicrosoftDocs/azure-doc...
Oh, and have you tried Postwoman instead? github.com/liyasthomas/postwoman

Collapse
 
wimdeblauwe profile image
Wim Deblauwe

Thanks for this. Is there or could you write a similar post, but for a mobile application for example? So that login can happen without going to a web page?

Collapse
 
jdubois profile image
Julien Dubois

There are many types of mobile applications, like iOS or Android, I can't do every of them, sorry about that. But it shouldn't change much, it's the same flow for all technologies.

Collapse
 
louisthomas profile image
ltlamontagne

Hi,

Is it possible to retrieve userinfo (connect2id.com/products/server/doc...) with custom parameters inside SecurityContextHolder?

Thanks

Collapse
 
jdubois profile image
Julien Dubois

I don't think there's a limitation here, I do see all the user information, roles, etc. So that should work.

Collapse
 
2488275582 profile image
2488275582 • Edited

Hello,I have upgraded to spring-azure this framework, but my application uses multi azure account, so is multi-tenantcode dynamic switchover supported?