search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.3k stars 1.96k forks source link

[QUERY] Is it possible to handle multiple app registrations for one Spring Boot app? #36884

Closed ObakeFilter closed 2 weeks ago

ObakeFilter commented 11 months ago

Query/Question Hello everyone, I have a Spring Boot app that expose an API which I would like to protect in a manner similar to the one described over here, problem is, I would like to provide access to users from two different Azure apps (both reside in the same tenant, there are two different sets of client-id, app-id and client secret), I couldn't find any info online on wheter it's even doable. Can you please suggest a way it can be done?

moarychan commented 11 months ago

Hi @ObakeFilter , we do not have such scenario verification, but according to the source code you can try to support multiple audience verification by customizing bean JwtDecoder.

Please refer to AadResourceServerConfiguration#jwtDecoder

@Bean
public JwtDecoder jwtDecoder(AadAuthenticationProperties aadAuthenticationProperties) {
    AadAuthorizationServerEndpoints identityEndpoints = new AadAuthorizationServerEndpoints(
        aadAuthenticationProperties.getProfile().getEnvironment().getActiveDirectoryEndpoint(), aadAuthenticationProperties.getProfile().getTenantId());
    NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder
            .withJwkSetUri(identityEndpoints.getJwkSetEndpoint())
            .restOperations(createRestTemplate(restTemplateBuilder))
            .build();
    List<OAuth2TokenValidator<Jwt>> validators = createDefaultValidator(aadAuthenticationProperties);
    nimbusJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(validators));
    return nimbusJwtDecoder;
}

public List<OAuth2TokenValidator<Jwt>> createDefaultValidator(AadAuthenticationProperties aadAuthenticationProperties) {
    List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
    List<String> validAudiences = new ArrayList<>();
    if (StringUtils.hasText(aadAuthenticationProperties.getAppIdUri())) {
        validAudiences.add(aadAuthenticationProperties.getAppIdUri());
    }
    if (StringUtils.hasText(aadAuthenticationProperties.getCredential().getClientId())) {
        validAudiences.add(aadAuthenticationProperties.getCredential().getClientId());
    }

    // add your second group client-id and app-id-url to the validAudiences

    if (!validAudiences.isEmpty()) {
        validators.add(new JwtClaimValidator<List<String>>(AadJwtClaimNames.AUD, validAudiences::containsAll));
    }
    validators.add(new AadJwtIssuerValidator());
    validators.add(new JwtTimestampValidator());
    return validators;
}
github-actions[bot] commented 1 month ago

Hi @ObakeFilter. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

github-actions[bot] commented 1 month ago

Hi @ObakeFilter, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!