8

When I try the sample code from Microsoft Azure to use oAuth2 and Spring Boot, it uses a stateful session to check authentication/authorization. You can see this in that:

  1. It never passes any headers/JWT on any calls
  2. It has a cookie "JSESSIONID" that you can use in new postman session (after obtaining it in a different browser) and it will consider you logged in

This will not work as our micro-services will be multiple instances.

How could I convert this to use a JWT (Authorization: Bearer AQab...) for subsequent calls instead of the cookie?

Dependencies:

//All using Spring Boot 2.0.5.RELEASE
compile('org.springframework.boot:spring-boot-starter-web')
compile('org.springframework.boot:spring-boot-starter-webflux')
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.security:spring-security-oauth2-client')
compile('org.springframework.security:spring-security-oauth2-jose')

//Using 2.0.7
compile('com.microsoft.azure:azure-active-directory-spring-boot-starter')

Config:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;

@EnableWebSecurity
@EnableGlobalMethodSecurity( prePostEnabled = true )
public class OAuthConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    private OAuth2UserService<OidcUserRequest, OidcUser> userService;

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .oauth2Login()
            .userInfoEndpoint()
            .oidcUserService( userService );
    }
}

Controller:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class MainController
{
    private OAuth2AuthorizedClientService clientService;

    @Autowired
    public MainController(OAuth2AuthorizedClientService clientService)
    {
        this.clientService = clientService;
    }

    @GetMapping( "checkrole" )
    @ResponseBody
    @PreAuthorize( "hasRole('ROLE__Test')" )
    public String group1()
    {
        return "ok";
    }

    @GetMapping( "/" )
    @ResponseBody
    public String getUser(OAuth2AuthenticationToken userToken)
    {
        //Printing out the oAuth token just for testing
        return clientService.loadAuthorizedClient(
            userToken.getAuthorizedClientRegistrationId(),
            userToken.getName()
        ).getAccessToken().getTokenValue();
    }
}

application.yml:

spring:
  security:
    oauth2:
      client:
        registration:
          azure:
            client-id: ${YOUR_CLIENT_ID:}
            client-secret: ${YOUR_CLIENT_SECRET:}

azure:
  activedirectory:
    tenant-id: ${YOUR_TENANT_OR_DIRECTORY_ID:}
    active-directory-groups: Test

Complete Sample Code

https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-active-directory-spring-boot-backend-sample

Don Rhummy
  • 24,730
  • 42
  • 175
  • 330
  • Hello! did you find any solution for this? – Ramon Paris Jun 20 '20 at 05:19
  • @RamonParis We ended up having to write it ourselves. Their solution was never going to work – Don Rhummy Jun 20 '20 at 14:37
  • @Don Rhummy what manual solution you exactly used for this ? I have a front end that will pass me (Authorization bearer ) token to my rest API. I have to validate that and allow access to my rest API . – Asraful May 07 '21 at 08:13
  • @Forhad It was three years ago and this was a very complex thing to solve. It's not something I could explain in a stack overflow response, and after 3 years I would miss a lot of details. – Don Rhummy May 07 '21 at 22:50
  • @DonRhummy Indeed, I have coded a workaround for myself .I will try to post a detailed answer . – Asraful May 08 '21 at 04:46
  • @Asraful can you please post an answer? or a link to the solution if possible. – Sanal S Oct 31 '22 at 08:02
  • 1
    @SanalS Let me try to find it in my repo. – Asraful Oct 31 '22 at 21:32

0 Answers0