superrdean
commented
4 years ago Sorry for the late response because of the Chinese New Year Public Holiday. Your proposal is reasonable, SDK only validates the prefix of the "iss" claim and doesn't validate the tenant id. But according to our backlogs, we don't have enough resources to do it right now. There is a workaround that you can override UserPrincipalManager to implement your own validation logic. By the way, the logic will be very easy to implement in class UserPrincipalManager, so PR is welcome. Thanks.
echurchm
saragluna
chenrujun
Environment
Spring boot starter:
OS Type: Linux
Java version:
Summary
I'm using azure spring boot package for validating the Bearer Token on the back-end, using client credentials flow for a system-to-system (StateLess); it works fine except for the issuer claim validation; the library accepts any token issued by either v1 or v2 endpoints but does not allows to restrics the 'iss' claim to a specific tenant. So my backend application would accept a valid token from 'any' azure tenant, which is not the desired behaviour.
Reproduce steps
You need at least two tenants to test; get a token for each tenant and send a request to a back-end protected application
Expected Results
I'm excepting that the library accepts only token issued by my tenant.
Actual Results
Access to the back-end rest endpoint is allowed for both tokens