Closed jtc198322 closed 5 years ago
@jtc198322
Thanks for issue this. For double check, you only leverage AADAuthenticationFilter
for your security configuration, right ?
The filter only take care of Auhorization header and validate it from below configuration https://github.com/Microsoft/azure-spring-boot/blob/0caebdeaf694a69619eb07d39f1ca0ca3c81cc2f/azure-spring-boot/src/main/resources/serviceEndpoints.properties#L1-L8
You may need to provide more configuration about you code, so we can tell where is wired.
I didn't have most of these in place but I added a few. Same results
azure:
activedirectory:
clientId: ***********************************
clientSecret: *******************************
activeDirectoryGroups: group1,group2
service:
endpoints:
global:
aad-signin-uri: https://login.microsoftonline.com/
aadGraphApiUri: https://graph.windows.net/****************************
@jtc198322
In fact you may not have necessary to configure that, use default value from serviceEndpoints.properties
is good enough
Most examples only indicate these...
`azure:
activedirectory:
clientId: ***********************************
clientSecret: *******************************
activeDirectoryGroups: group1,group2`
Looks like the only way to avoid this code in the filter is not to get into the below, should I already have any of these to make this false?
` if (principal == null || graphApiToken == null || graphApiToken.isEmpty()) {
principal = principalManager.buildUserPrincipal(idToken);
final String tenantId = principal.getClaim().toString();
graphApiToken = client.acquireTokenForGraphApi(idToken, tenantId).getAccessToken();
principal.setUserGroups(client.getGroups(graphApiToken));
request.getSession().setAttribute(CURRENT_USER_PRINCIPAL, principal);
request.getSession().setAttribute(CURRENT_USER_PRINCIPAL_GRAPHAPI_TOKEN, graphApiToken);
}`
Would it be possible to make the hard-corded strings of the issuer dynamic supported by properties? For a single tenant...
@Override public void verify(JWTClaimsSet claimsSet, SecurityContext ctx) throws BadJWTException { super.verify(claimsSet, ctx); final String issuer = claimsSet.getIssuer(); if (issuer == null || !issuer.contains("https://sts.windows.net/") && !issuer.contains("https://sts.chinacloudapi.cn/")) { throw new BadJWTException("Invalid token issuer"); } } });
@jtc198322 I am sorry it seems I cannot get your point for this issue. For aad, the service-endpoint is something like fixed value, and it should works well. Are you try to customize this endpoint with aad ? I am not sure if it is possible or not. Please correct me if something misunderstanding.
Basically my issuer from Azure AD is not "https://sts.windows.net/" or "https://sts.chinacloudapi.cn/"
it is from https://login.microsoftonline.com/{uuid}/v2.0
and the jwt verification fails. This OOTB from Azure, I didn't customize it
I have the same issue. I think the error occur if the setup is single tenant.
I think the problem is giving an azure AD v2 token to a azure AD v1 implementation.
Facing similar issue with single tenant application, is there any solution to this issue?
I think I'm facing the same issue here. I'm using the AAD Spring Boot starter with Spring Boot 2.1.4 and I receive version 1.0 tokens. The access token is not a JWT, the id token is and it includes the attribute "ver": "1.0" and "iss": "https://sts.windows.net/our-tenant-id/", whereas it should be "iss": "https://login.microsoftonline.com/our-tenant-id/v2.0".
Here's my application.yml:
spring:
application:
name: app-name
security:
oauth2:
client:
registration:
azure:
client-id: my-client-id
client-secret: my-client-secret
...
azure:
activedirectory:
tenant-id: our-tenant-id
active-directory-groups: group1, group2, admin
...
How can I configure AAD in my app to generate ver 2.0 tokens?
If somebody tells me that this is a different issue, I'll create a new issue.
@berndgoetz if you are having this issue you are already generating v2.0 tokens, the springboot implementation verifies the tokens using the adal for java library that validates v1.0 tokens and checks the issuer whitout incluind the "https://login.microsoftonline.com" issuer. You can do your own implementation using msal for java to validate v2.0 tokens or change the tokens you are sending to v1.0. I have been working in the msal implementation but didn't finished it because of a problem with the obo flow here is a link to my issue: problem with obo flow
Wouldn't it be easier to get the correct issuer from https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
or https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
for v2.0 respectively, instead of hardcoding them?
Hi all, Even I am facing the same issue. any workaround so far. I am generating a token from msal in the web app and trying to authenticate it in Java(web api) using this lib "azure-active-directory-spring-boot-starter" . the problem is the token generated in msal having "https://login.microsoftonline.com" as issuer but the principal class checks for "https://sts.windows.net"
now the issuer(https://login.microsoftonline.com) has been added to the verifier. And the change has been merged to the master. You can try it by using the latest SNAPSHOT or 2.1.7 dependency.
I am facing the same issuer problem. I downloaded 2.1.7 version
But the code within 2.1.7 does not reflect "https://login.microsoftonline.com"
I can see the fix is available at https://github.com/microsoft/azure-spring-boot/blob/master/azure-spring-boot/src/main/java/com/microsoft/azure/spring/autoconfigure/aad/UserPrincipalManager.java
But the 2.1.7 jars downloaded by maven still contains the old code.
To double check I downloaded source code from https://github.com/microsoft/azure-spring-boot/releases/tag/2.1.7 and yes it still contains the old version of the code (i.e. the fix to include "https://login.microsoftonline.com" within token verify is missing)
Can you please confirm which version should be downloaded to get the updates?
@sasmitanair Thanks for pointing out this. You're right about the 2.1.7 release, the change's not been released with it. So perhaps you could try it with our daily built snapshot.
JWTClaimsSet checks for issuer that is not equal to my token, how can I override this or resolve with configuration.
Environment
Spring boot starter:
OS Type: Windows/Linux/MacOS
Java version:
Summary
Issuer from azure ad is https://login.microsoftonline.com/uuid/v2.0 Code throws BadJWTException because the issuer doesn't contain "https://sts.windows.net/" or "https://sts.chinacloudapi.cn/".
Reproduce steps
Add spring boot starter to my zuul project, then configured aad app, added properties and security config below.
`@Configuration @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {
} `
Expected Results
Validate token from issuer https://login.microsoftonline.com/uuid/v2.0
Actual Results
BadJWTException("Invalid token issuer")
`
`