Closed TamasSzerb closed 3 years ago
TamasSzerb
commented
4 years ago Please also update the application properties according to https://docs.microsoft.com/en-us/azure/active-directory-b2c/multiple-token-endpoints as needs to migrate from login to B2C tenant.
TamasSzerb
commented
4 years ago In the log this can be seen:
2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@1636289f: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 2EC484192981E8F8DD34CD7F537C70A7; Granted Authorities: ROLE_ANONYMOUS' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.security.web.FilterChainProxy : /favicon.ico at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.security.web.FilterChainProxy : /favicon.ico at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.security.web.FilterChainProxy : /favicon.ico at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/login' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/favicon.ico'; against '/error' 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /favicon.ico; Attributes: [authenticated] 2020-08-24 16:57:38.165 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@1636289f: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 2EC484192981E8F8DD34CD7F537C70A7; Granted Authorities: ROLE_ANONYMOUS 2020-08-24 16:57:38.166 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7aae1d88, returned: -1 2020-08-24 16:57:38.167 DEBUG 19041 --- [0.1-8443-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118) ~[spring-web-5.1.9.RELEASE.jar!/:5.1.9.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
sangonzal
commented
4 years ago @idg-sam @navyasric this might be a good issue to investigate/ sample to revamp as per the suggestion above.
TamasSzerb
commented
4 years ago Also please note that according to https://docs.spring.io/spring-security-oauth2-boot/docs/current/api/org/springframework/boot/autoconfigure/security/oauth2/client/EnableOAuth2Sso.html @EnableOAuth2Sso annotation is deprecated.
TamasSzerb
commented
4 years ago Please note that the official spring "click" example: https://spring.io/guides/tutorials/spring-boot-oauth2/ ( https://github.com/spring-guides/tut-spring-boot-oauth2/tree/master/click ) also does not work, because if we configure
in tut-spring-boot-oauth2/click/src/main/resources/application.yml
eg.
issuer-uri=https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/v2.0/
according to https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
so
location does not match to the content:
"issuer": "https://fabrikamb2c.b2clogin.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/"
so spring throws exception.
sangonzal
commented
3 years ago @TamasSzerb Seems like there are multiple things here, I will try to address them separately:
Access token provider returned a null access token, which is illegal according to the contract. This is a known quirk of B2C. The workaround is to pass in the client id of your application as a scope. Please see: https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/140
There are a couple of annotations and properties in the sample that are deprecated. We plan to update the sample. Please see: https://github.com/Azure-Samples/ms-identity-java-webapp/issues
The spring security sample was written and only tested against AAD, and not B2C. Unfortunately there are some differences in between the services. I would recommend you take a look at the B2C sample in the repository that uses MSAL. Otherwise, if you would like to see a Spring Security sample with B2C, please file a separate issue. I will note that Microsoft has a Spring boot starter that works with B2C, that might be interesting to you: https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory-b2c-oidc
Hitting https://localhost:8443/ (running as spring boot jar), returns back from B2C fails:
Request URL: https://localhost:8443/login?state=NJPnhN&code=eyJraWQiOiI5Qk4wcUFoTXVhTE1HR0dla3kzV2RTanpGdGhabVJDQzRrckVFQjF1V1VFIiwidmVyIjoiMS4wIiwiemlwIjoiRGVmbGF0ZSIsInNlciI6IjEuMCJ9.ogK49BPpOhUJStMiaQYymHYXl45lg-kcJDDTTWZpO_B9UMYTqB3t2__YaE9nymAHwHT2JH9F1uDCJ0RZso-osvsjH8KHE5Gwe1iBrGblUiGASUrt1so_7-R7or2TN3uyvYDWxg96qdRIrZg9H5gHoxc8QFDUzUx9gpgrpVHBI8AoCFEoWesLO27uw8Haff2xClX4aNbiJizNoGguqoLLMu1S0wzg3SzyOe59cAG0uWvxigMPHd7hOx9IPvYASP3o0bRA1FooBl7PjSwlBC3Tp7iJmT6eVKTGx9flYzwkuKLUGoNKHIOwDVhpzzDY3nJyl8SYN50E3XTbW18-y0rZPg.nWVdFOgY38ApQDog.Eco4n4zSMRCixOLef66w_pX41hg9rwnpgGllsKHLGqBWgFnJufMfyBRsQvFWEWpDBfwX8j3rnyLMTmIBZzie0-Z10hPrTrVLNQWeaiNLKKeHrOfySPilNC9XIfyPaMBvccYleJYE8rzDyMC8sF9IXwwWfnPwpYWsoZMc0IzlFuj84oCtRu7QQB_yNaMRhRJrHaVg33jcKYgBs370bKECut47cmEeCDU1ONScRWdVIz-gw7QHGGu0ucrUkvMUfCei7zJC4Y4_JZAJjBHcX41GZr5IcemJuF3xxmaZjcebHIV2_r0-TXlnRZkbiFzqP5ZvQc-XNd1khKmd3__8P1FqT5rUZHBaWhQAKNpkOnEcPbIn_0W6SsAdgt-zkZn_CgTzNbnA-IjNQOnSu1pq62lwc75iqvvC62rnV228m6MqmQMfZ-vGXxBGD3g9dEfap7bg9wXvkcrfn_yVw-Z_LxEqOHnmoKYK3CtlyDs-7YfJXLZk1R-RR9nDtAx8GAz89uaafiIoa0o7EnipsgVvfOW-jW5aWgNb0sx7RcF97vX0Ml_QqiJbFkZ1YxK8rxcWtrPq.Lb-wMUX1vAkpW0flKwvvHQ Request Method: GET Status Code: 500 Remote Address: 127.0.0.1:8443 Referrer Policy: no-referrer-when-downgrade
The response body:
Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback.
Wed Aug 19 17:53:22 CEST 2020 There was an unexpected error (type=Internal Server Error, status=500). Access token provider returned a null access token, which is illegal according to the contract.