[JAVA] Sign in to a Spring Boot web application on the Microsoft ID platform
Overview
Microsoft's official documentation is confusing, and library updates aren't keeping up, making it difficult to sign in with an Azure AD account [^ 1] from the latest Spring Boot. Here's a summary of what's happening to implement sign-in at the moment.
--Spring Boot Starter for Azure AD cannot be started as it is --Microsoft documents are also old, as updates are generally not keeping up. --For authentication only, it is possible only with OAuth2 of Spring Security --There are almost no Japanese materials --If you want to access each function through Microsoft Graph after authentication, use Microsoft Graph SDK for Java [^ 2]
Prerequisites
- Java11 --Spring Boot2.3.5 (latest is 2.4) --Basic dependencies are written out with Spring Initial zr
- Gredle6.7 --My OS is Windows 10 --Here, we are targeting accounts (work or school accounts) in Azure AD tenants, but the basic flow should be the same when including personal Microsoft accounts.
[Azure AD Spring Boot Starter client library for Java (2.3.5)](https://github.com/Azure/azure-sdk-for-java/tree/407b4e0bffbb75b461c0512e669a6d43376fa7ab/sdk/spring/azure-spring-boot-starter -active-directory)
I think the first thing to hit is this library [^ 3]. This is a project led by Microsoft. Since it uses the functions of the Oauth2 client of Spring Boot / Spring Security, there are fewer setting items and implementation ranges than other options. Documents about the integration between Azure AD and Spring are scattered in various places on Microsoft's site, but at the moment [Github documentation](https://github.com/Azure/azure-sdk-for-java/ See tree / 407b4e0bffbb75b461c0512e669a6d43376fa7ab / sdk / spring / azure-spring-boot-starter-active-directory). It should be the latest description. The main scenario covered in this article is Backend Authentication Flow (https://github.com/Azure/azure-sdk-for-java/tree/407b4e0bffbb75b461c0512e669a6d43376fa7ab/sdk/spring/azure-spring- boot-starter-active-directory # authorization-code-mode-usage).
We will proceed with the work based on this document, but ** Currently it does not work with the settings according to ReadMe → It was corrected based on the report, but please wait for it to be reflected in maven **.
I also found out the reason reported on GitHub, but due to the dependency of Spring Boot 2.3.5 The version of nimbus-jose-jwt on which AAD-Starter depends has been upgraded and cannot be started. This happens because since 8.10 of nimbus-jose-jwt, an argument to specify the refresh cycle has been added to the constructor of DefaultJWKSetCache. First of all, we will deal with this.
Override AADAuthenticationFilterAutoConfiguration settings to make it bootable
Fortunately, the cause of this bug is in the Bean definition of AutoConfig, so it is possible to ** resolve it at runtime **. (The source code for this issue was fixed while writing the article) It's not good to lower the nimbus-jose-jwt version here, so I'll fix it and use it. To use AAD-Starter, you basically inherit WebSecurityConfigurerAdapter and write Config, so overwrite the old Bean definition there.
AADOAuth2LoginConfig.java
/*Added comment part to ReadMe sample*/
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AADOAuth2LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
//Inject configuration properties
@Autowired
private AADAuthenticationProperties aadAuthProps;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService);
}
//Bean definition that overrides the problem setting
@Bean
public JWKSetCache getJWKSetCache() {
long lifespan = aadAuthenticationProperties.getJwkSetCacheLifespan();
return new DefaultJWKSetCache(lifespan, lifespan, TimeUnit.MILLISECONDS);
}
}
This bean definition reproduces the same behavior as before the version upgrade, but it contains problems. Since the cache life and refresh cycle are the same, you may get irregular errors at run time [^ 4]. To solve this, you need to set the second argument of DefaultJWKSetCache to a number smaller than the first argument, and you need to create your own property or specify it in your code. Also, it seems that the no-argument constructor has a lifespan of 15 minutes and a refresh cycle of 5 minutes, so if there seems to be no problem with that cycle, you can choose to use the no-argument constructor.
Register the app with Arue
This basically works fine with the settings as documented.
It's important to note that the redirect URL must be the Spring Security default {baseURL} / login / oauth2 / code / azure.
I feel like I could change it in the properties of Spring Security, but I didn't succeed. [^ 5]
And another important thing is ** access to the API given to the app **.
This is a complete trap, but the content of the document ** requires Azure AD Graph permissions **, not MicroSoft Graph permissions.
In the current Azure web screen, the display of Azure AD Graph is at the bottom, and even if you give the conspicuous MicroSoft Graph permission, you will worship AADSTS90008 no matter how hard you try. I made a mistake about this, but it took me a while to notice (because I suspected a bug in the code ...). After noticing this, I was able to successfully control permissions using departments and security groups.
During description → After logging in, use the Graph function to do various things
I've exhausted my efforts to avoid and fix problems in the library, so I'll put it on hold ...
Summary
By avoiding the problem of this library and investigating the access authority, the mechanism of cooperation between OAuth2 authentication in Spring Security and Azure AD (Microsoft ID platform) was well understood. The Azure AD Spring Boot Starter client library for Java seems to be significantly updated in the next version, but it seems to have a lot of problems at the moment.
If you find any problems in the library survey, you may want to report them.
[^ 1]: The range I touched on is limited to Azure AD single tenants only. [^ 2]: However, since the access point of this SDK is an old version (v1.0), you need to use beta when using v2.0. [^ 3]: Abbreviated as AAD-Starer below [^ 4]: The fix for nimbus-jose-jwt also seems to be due to this, and it was shared on GitHub that this fix is ad hoc. [^ 5]: There is a possibility of insufficient understanding and verification.
Reference material
Azure AD Spring Boot Starter client library for Java[^10] [^ 10]: Probably the newest Starter docs OAuth 2.0 Sample for Azure AD Spring Boot Starter client library for Java A Java web application using Spring security which signs in users with the Microsoft identity platform [Microsoft ID Platform](Azure AD) Java Web App (WAR file) -Settings- 【spring-projects/spring-security】OAuth 2.0 Migration Guide Spring Security Reference12.1. OAuth 2.0 Login
Recommended Posts