Skip to content
This repository has been archived by the owner on Jun 15, 2021. It is now read-only.

Sample repository demonstrating how to integrate Spring Security's OAuth2/OpenID Connect login with Azure AD

License

Notifications You must be signed in to change notification settings

stewartadam/azuread-springsecurity5-oauth2-kickstart

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AzureAD, Spring Security 5, and OAuth 2 Login Kickstart

A minimal Spring Boot 2.0 project demonstrating how to integrate Azure AD with the new Spring Security 5 + OAuth 2 login features.

Why?

Because Spring Security recently moved some of the functionality from the previously recommended spring-security-oauth package into core, and will replace it entirely over time. See this compatibility matrix for details. Many examples on the web are no longer compatible with Spring Boot 2.0 / Spring Security 5.0 after this breaking change.

How does it work?

  1. Edit src/main/resources/application.yaml and plug in your Azure AD application's client ID and secret. The app needs to be registered in Azure AD with at least the "Sign-in and read user profile" permission (i.e. User.Read scope) against Microsoft Graph (not the default Windows Azure AD Graph API that is added for new apps).
  2. Run mvn spring-boot:run to start the local webserver.
  3. Open one of the endpoints below in your browser of choice

Available Endpoints

  1. http://localhost:8080/hello/foo: echoes foo back at you (for your choice of foo)
  2. http://localhost:8080/oauth2/authorization/microsoft: attempts to login the user using the OAuth2 code grant against AAD, followed by a Graph call to obtain user information
  3. http://localhost:8080/claims: Displays info on the currently logged in user

Note that because no homepage is configured, after login you'll get a 404 error when hitting http://localhost:8080. This is expected; hit the /claims endpoint to verify that your session has the claims stored.

References:

I found these resources helpful while troubleshooting:

A lesson learned: searching specifically for Spring Security 5's OAuth2 implementation is near impossible since you always end up getting results for the older "Spring Security OAuth" 2.x implementation, even if you put a time restriction on results such as "within last year".

Based on lots of trial and error, I would caution that you are not reading about the new Spring Security 5's OAuth2 implementation if you see:

  1. @EnableOAuth2Sso in the code sample
  2. The properties/YAML configuration start directly with security (instead of spring followed by security, which indicates for Spring Security 5)
  3. The properties/YAML configuration in camelCase (new config in Spring Security 5 is snake-case)
  4. A dependency on the spring-security-oauth2 package in pom.xml (but spring-security-oauth2-client or spring-security-oauth2-jose would be OK for Spring Security 5)

Disclaimer: I am not a Spring framework expert, this is my best guess from limited experience with it

Known issues

Java 8 (and possibly later) default to an invalid Accept header value of text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 which upsets many API endpoints, including Microsoft Graph (besides the point that a REST endpoint is not going to be able to spit back user info in HTML/GIF/JPEG format to Java).

As a result, two classes from Spring needed to be customized (e.g. copied and lightly modified) in order to ensure the appropriate Accept header was used. You will find these two classes in the replacements sub-package.

About

Sample repository demonstrating how to integrate Spring Security's OAuth2/OpenID Connect login with Azure AD

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages