Is there any way to easily activate/de-activate the active-directory authentication

[prabdeb]

Environment

• Spring boot starter:

  • active directory spring boot starter

• OS Type: Linux

• Java version:

  • 1.8

Summary

Currently I am using https://github.com/microsoft/azure-spring-boot/tree/master/azure-spring-boot-starters/azure-active-directory-spring-boot-starter for implementing AAD authentication.

I am looking for a way where I can easily activate/de-activate the active-directory authentication. Is it possible? If possible, which document/steps needs to followed?

Expected Results

Easily activate/de-activate the active-directory authentication in application with some property. So that the application can be deployed in different ways.

Actual Results

Once AAD authentication is implemented, it is not possible to de-activate without reverting back the implementation.

[saragluna]

Thanks for reaching out. Which kind of authentication are you talking about? Is it the OAuth2.0 authorization code flow or implicit flow?

[prabdeb]

@saragluna Thanks for looking into it, I am using OAuth2.0 authorization code flow

[saragluna]

Is Spring profiles suitable for your case, which you could put the aad related properties in a file like application-dev.properties and pass -Dspring.profiles.active=dev to your application to activate this profile, which will activate the AAD authentication?

[prabdeb]

Yes @saragluna I can have a property file specific to the environment. But what properties and values I should use so that the same application will work without Authentication?

[saragluna]

I am thinking of using two properties files, such as application-dev.properties and application-prod.properties, with one containing the aad related properties and one not. When you run the application, pass the profile Dspring.profiles.active=dev|prod to the application.

[prabdeb]

@saragluna I have already tried that, but got error, please find the details below -

Sample application.properties used, where no aad properties are mentioned

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration
spring.application.name=<Application Name>

ERROR while starting the application using the above property file -

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
05:54:21.921 [main] ERROR org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter - 

***************************
APPLICATION FAILED TO START
***************************

Description:

Field aadAuthFilter in com.application.conf.AADWebSecurityConfig required a bean of type 'com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter' that could not be found.

The injection point has the following annotations:
        - @org.springframework.beans.factory.annotation.Autowired(required=true)

The following candidates were found but could not be injected:
        - Bean method 'azureADStatelessAuthFilter' in 'AADAuthenticationFilterAutoConfiguration' not loaded because @ConditionalOnProperty (azure.activedirectory.client-id) did not find property 'client-id'

Action:

Consider revisiting the entries above or defining a bean of type 'com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter' in your configuration.

Is there any properties need to be specified in application.properties so that AAD loading will be skipped?

[chenrujun]

Hi, @prabdeb .

Root cause:

If property azure.activedirectory.tenant-id is not configured, then we will not have bean authorizedClientService and oidcUserService.

Method to solve this problem:

Add @ConditionalOnProperty(prefix = "azure.activedirectory", value = "tenant-id") in some place like this demo PR.

[prabdeb]

Hello @chenrujun ,

I am able to start the application without any error after following the mentioned PR, however the application was always redirecting to /login I had to use an extra property - spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration to disable the authentication completely

Is it a right way to disable? If yes, can we get the extra property updated somewhere in document along with the link to PR? So that it will be useful in future.

[chenrujun]

Hi, @prabdeb .

I added NoLoginSecurityConfig in the demo PR to illustrate how to disable login. Please check. 🙏

And the PR will be merged. Thank you very much for your suggestion. 👍

[prabdeb]

Thanks a lot for considering my request @chenrujun !