Skip to content

Latest commit

 

History

History
 
 

aad-resource-server

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
docs
docs
 
 
src/main
src/main
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

README.md

page_type languages products urlFragment
sample
java
azure-active-directory
azure-spring-boot-sample-active-directory-resource-server

Azure OAuth 2.0 Sample for Azure AD Spring Boot Starter Resource Server client library for Java

Key concepts

This sample illustrates how to protect a Java web API by restricting access to its resources to authorized accounts only.

  1. Obtain the access token from the HTTP request header.
  2. Use JwtDecoder to parse the access token into Jwt.
  3. Verify aud, iss, nbf, exp claims in access token.
  4. Extract information from JWT in AADOAuth2AuthenticatedPrincipal object after a successful verification.
  5. Save the AADOAuth2AuthenticatedPrincipal into SecurityContext.

Protocol diagram

Aad resource server protocol diagram

Getting started

Configure Web API

  1. In this section, you register your web API in App registrations in the Azure portal.

  2. Search for and select your tenant in Azure Active Directory.

  3. Under Manage In the same tenant, select App registrations -> New registration.Protal manage

  4. The registered application name is filled into webapiB(For better distinguish between Resource Server and Resource Server Obo, this application is named webapiB), select Accounts in this organizational directory only, click the register button.Register a web api

  5. Under webapiB application, select Certificates & secrets -> new client secret, expires select Never, click the add button, remember to save the secrets here and use them later.Creat secrets

  6. Under webapiB application, select Expose an API -> Add a scope, Use the default Application ID URI, click Save and continue button.Set application id url

  7. Wait the page refresh finished. Then set the Scope name to WebApiB.ExampleScope.Add a scope

  8. Finally, the api exposed in webapiB.Finally, the API exposed in webAPI

  9. Expose an API by adding appRoles , See Example: Application app role for more information about app roles setting.

    {
    "allowedMemberTypes": [
      "Application"
    ],
    "description": "WebApiB ClientCredential Example Scope",
    "displayName": "WebApiB ClientCredential Example Scope",
    "id": "d2bec026-b75f-418d-9493-8462f54f25d9",
    "isEnabled": true, 
    "value": "WebApiB.ClientCredential.ExampleScope"
}

See Expose scoped permission to web api for more information about web api.

Examples

Configure application.yml

#If we configure the azure.activedirectory.client-id or azure.activedirectory.app-id-uri will be to check the audience.
#In v2.0 tokens, this is always client id of the app, while in v1.0 tokens it can be the client id or the application id url used in the request.
#If you are using v1.0 tokens, configure both to properly complete the audience validation.

azure:
  activedirectory:
    client-id: <client-id>
    app-id-uri: <app-id-uri>

Run with Maven

# Under sdk/spring project root directory
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-resource-server
mvn spring-boot:run

Access the Web API

We could use Postman to simulate a Web APP to send a request to a Web API.

NOTE:

  1. You can use resource server password credentials to get access token.
  2. The aud in access token should be the current Web API.
GET /webapiB HTTP/1.1
Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw
GET /user HTTP/1.1
Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw

Check the authentication and authorization

  1. Access http://localhost:<your-Configured-server-port>/file link: success.
  2. Access http://localhost:<your-Configured-server-port>/user link: fail with error message.

Troubleshooting

Next steps

Contributing