search

microsoft / azure-spring-boot

Spring Boot Starters for Azure services
MIT License
374 stars 460 forks source link

Client Credentials grant flow fails when specifying a tenant #937

Closed QuickNS closed 4 years ago

QuickNS commented 4 years ago

Creating a Java Spring Boot Rest API that uses the client credentials grant flow. I'm using Spring Boot version 2.3.3 and azure active directory spring boot starter (2.3.5). I created an Azure AD tenant and registered the app as expected, exposing a couple of app roles in the app manifest.

I have everything working in a ASP.NET Core application so I don't think it's an issue with the app registration. I can successfully generate access tokens to access the API and validate them. I can't seem to make this work on my Spring Boot app.

I'm using the AADAppRoleStatelessAuthenticationFilter:

` package example.auth.security;

import com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class AADWebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private AADAppRoleStatelessAuthenticationFilter aadAuthFilter;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

    http.authorizeRequests()
        .anyRequest().permitAll();

    http.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class);

}

} `

My application.properties file looks like this (with the actual values filled in):

azure.activedirectory.session-stateless=true azure.activedirectory.client-id= azure.activedirectory.appIdUri= azure.activedirectory.tenant-id=

When I run the application I get an error:

Caused by: java.lang.IllegalStateException: Client id must not be empty. at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.validateRegistration(OAuth2ClientProperties.java:65) ~[spring-boot-autoconfigure-2.3.3.RELEASE.jar:2.3.3.RELEASE]

If I remove the tenant-id setting from my properties file, the app runs correctly, only it fails to validate the token because it's not pointing at the right tenant.

Probably missing something here, but I've been trying for hours to set this configuration and a combination of versions of Spring Boot and the starter kits to work, with no success.

QuickNS commented 4 years ago

Modified pom file to reference latest starter version and the problem is no longer reproduceable.

    <dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>azure-spring-boot-starter-active-directory</artifactId>
    <version>3.0.0-alpha.20201026.0</version>
    </dependency>