Why use Active Directory?
Let's be honnest, Active Directory isn't "cool" today. People see it has very complex, which is true - but sec...
For further actions, you may consider blocking this person and/or reporting abuse
Thanks for this wonderful blog post Julien. We had to check the ID Tokens here
in order to have the full integration working. Without that it was throwing the following exception :
Thanks Christophe!! Yes you are totally correct! I don't understand, I remember perfectly well to have put this in my article, but it doesn't show up. Let me correct this ASAP!!!
It's fixed, thanks again Christophe!
Is it correct to state that this only works because the default role in Azure AD is 'User' and in Spring it is 'ROLE_USER' ? What if I create a 'ROLE_ADMIN' in my Spring Boot app? Do I need to use Azure AD Premium P1 or P2 to be able to do that? Or is it possible in the free version as well?
Oh yes, this works because we have the same roles, and I also think that those can only be modified in the premium tier, at least for now. I'm not an expert in those tiers, so I can't tell you if there's a trick to do it for free.
Declaring app roles using Azure portal for free
docs.microsoft.com/en-us/azure/act...
stackoverflow.com/questions/556090...
I'd love to see how you get on with configuring access to your app when it's deployed to Azure App Service and using a non-localhost domain over HTTPS. That's where I encountered issues trying to configure the reply URL as per dev.to/cowinr/setting-up-spring-se...
Interesting to see your note "The current Spring Boot starter does not work with single tenants, which is an issue being currently addressed." I set mine up as a single tenant registration and it worked after a fashion. Perhaps I'll have better luck configuring as a multi-tenant registration.
I'm late to this party, but I was following the above walkthrough last weekend including a deploy to Azure App Service. Locally it worked from the get-go whereas in the cloud I got the exact same AADSTS50011 error, due to a mismatch between http (suggested) vs https (registered) reply URL's.
Apparently this is a well-known issue due to the fact that in the cloud, the Spring Boot application (running on http) is proxied by IIS (running on https). See also Running Behind a Front-end Proxy Server and Deploy Your Spring Boot Application to Azure. The suggested addition of this snippet to application.yaml solved it for me:
Thanks! For single tenant there seems to be a separate documentation, I need to work on it, I don't understand why it should be a different configuration from Spring Boot
After following this simple configuration for my Spring boot system, I just keep getting this error,
Still trying to figure out why.
java.lang.IllegalStateException: Error processing condition on org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2WebSecurityConfiguration.authorizedClientRepository
at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:60) ~[spring-boot-autoconfigure-2.2.2.RELEASE.jar:2.2.2.RELEASE]
In a client-directed-flow I want to write a custom identity provider where I would like to use my service account. Iam writing a spring service and from there I would like to signs a service account to be validated against AAD to get the token. I want to avoid the popup. Is it possible?
In that case, you are not authenticating using the client's credentials, so showing the popup doesn't make any sense, am I correct? Also, having everybody use a service account looks like a big security issue - for instance, you won't be able to audit what people did, and also everybody will have the same permissions. And service accounts usually have higher privileges than normal user accounts. Are you sure this is a good idea?
Anyway, if this is correct, this would work like a usual OAuth2 flow between two applications: you need to store the secret token somewhere secured (Azure Key Vault?), and then you can use it to access whatever service you need. There's no need to have a login popup for this.
Thanks for the tutorial. Is it possible to use this tutorial on JHipster 6.5.1?
Thanks! I haven't tried it, but there shouldn't be any difference from using start.spring.io, so yes it should work the same. You'll need to tweak the
SecurityConfiguration
class probably - have a look at the OICD option, it should be pretty close to what you need. Oh, and please send an update if you succeed! Maybe a tip on jhipster.tech/tips/ ?Hello Julien,
in my git repository i have published a JHipster 6.5.1 Project with the
implementation of Login by Azure Active Directory.
Function: Login / Logout
When and if you have time you can review the code!
Thanks a lot for this tutorial!
This is the link github.com/ivan86to/jhipster-ad-azure
Thanks a lot!! This should be a new security option in JHipster, we need to automate this. Would you be interested in contributing this? It's mostly a matter of transforming your existing code into templates. Or at the minimum this should be in our tips section.
Ok, login work success with less modifications :)
But the Logout resource not work because
this.registration.getProviderDetails().getConfigurationMetadata()
.get("end_session_endpoint") return null.
I try to fix this problem
Tnk!
Hi. I tried this . It's working fine, if I enter localhost:8080 in browser. But if I try with ui(angular get request to 8080). It error with cors issue. Already tried with spring security cors. Also in angular with header cors. Nothing worked. Redirection is not working.from ui login azure not opening error cors. Href is working. But again we need to redirect to angular. Is there any solution.
Exactly what I wanted. Thanks a mill for this article.
Could help me creating one simple postman request ( example 1. Create Login/ 2. an API with Authorization Token) please.I am stuck at this point.
Thanks
Thanks @kowshikns !
I have never used Postman with AAD, but I have found this documentation that looks correct: github.com/MicrosoftDocs/azure-doc...
Oh, and have you tried Postwoman instead? github.com/liyasthomas/postwoman
Thanks for this. Is there or could you write a similar post, but for a mobile application for example? So that login can happen without going to a web page?
There are many types of mobile applications, like iOS or Android, I can't do every of them, sorry about that. But it shouldn't change much, it's the same flow for all technologies.
Hi,
Is it possible to retrieve userinfo (connect2id.com/products/server/doc...) with custom parameters inside SecurityContextHolder?
Thanks
I don't think there's a limitation here, I do see all the user information, roles, etc. So that should work.
Hello,I have upgraded to spring-azure this framework, but my application uses multi azure account, so is multi-tenantcode dynamic switchover supported?