Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
af02331
User Oauth2 WebClient instead of msal to get groups from graph.
rujche Nov 12, 2020
468cfc5
Rename GraphMsalClient to GraphOboClient.
rujche Nov 12, 2020
82a3463
Fix error reported by pom_file_version_scanner.ps1.
rujche Nov 12, 2020
5392d5e
No logic change, just rename configuration item name and scope name.
rujche Nov 12, 2020
532f996
Delete AzureActiveDirectoryAutoConfiguration in AADAuthenticationAuto…
rujche Nov 13, 2020
f8ee6a8
Remove duplicated test: userPrincipalIsSerializable().
rujche Nov 13, 2020
9a518a0
Move createWebClientForTest to new file.
rujche Nov 13, 2020
785a9e2
Add test for GraphOboClient.
rujche Nov 13, 2020
36e217d
Delete unused file.
rujche Nov 13, 2020
713e5b5
Sort out test constant related code.
rujche Nov 13, 2020
9f6a219
No logic change, just make code look better.
rujche Nov 13, 2020
7ea9cbd
Removed unused import.
rujche Nov 13, 2020
4e5de2e
Fix error: Files.readString(...) not supported in Java8.
rujche Nov 13, 2020
de0734e
No logic change, just change the bean definition's order.
rujche Nov 13, 2020
3a2a910
Add @ConditionalOnMissingBean on webClient and graphWebClient.
rujche Nov 13, 2020
41e44e5
Change all aad related code's package to com.azure.spring.autoconfigu…
rujche Nov 13, 2020
a7c4444
Add Java doc.
rujche Nov 13, 2020
936e59e
Delete unused code.
rujche Nov 13, 2020
95c25d0
Merge branch 'master' into User-Oauth2-WebClient-instead-of-msal-to-g…
rujche Nov 13, 2020
9259ea1
Make new added dependencies 'optional': spring-boot-starter-webflux a…
rujche Nov 13, 2020
63e21d9
Delete configuration item: 'azure.activedirectory.authorization-serve…
rujche Nov 13, 2020
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions eng/versioning/external_dependencies.txt
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ org.springframework.boot:spring-boot-starter-logging;2.3.5.RELEASE
org.springframework.boot:spring-boot-starter-test;2.3.5.RELEASE
org.springframework.boot:spring-boot-starter-validation;2.3.5.RELEASE
org.springframework.boot:spring-boot-starter-web;2.3.5.RELEASE
org.springframework.boot:spring-boot-starter-webflux;2.3.5.RELEASE
org.springframework.boot:spring-boot-starter;2.3.5.RELEASE
org.springframework.boot:spring-boot;2.3.5.RELEASE
org.springframework.data:spring-data-commons;2.3.5.RELEASE
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,7 @@

package com.azure.spring.sample.aad.security;

import com.azure.spring.autoconfigure.aad.AADAuthenticationFailureHandler;
import com.azure.spring.autoconfigure.aad.AADOAuth2AuthorizationRequestResolver;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
Expand All @@ -31,16 +29,15 @@ protected void configure(HttpSecurity http) throws Exception {
final ClientRegistrationRepository clientRegistrationRepository =
applicationContext.getBean(ClientRegistrationRepository.class);
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService)
.and()
.authorizationEndpoint()
.authorizationRequestResolver(
new AADOAuth2AuthorizationRequestResolver(clientRegistrationRepository))
.and()
.failureHandler(new AADAuthenticationFailureHandler());
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService)
.and()
.authorizationEndpoint()
.authorizationRequestResolver(
new AADOAuth2AuthorizationRequestResolver(clientRegistrationRepository)
);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

## 3.0.0-beta.1 (Unreleased)
### Breaking Changes
- Conditional access policy is not supported temporary, we may recover it in the future.
- Configuration items like `spring.security.oauth2.client.xxx` is not supported anymore. Please use the following configuration items instead:
```
azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
Expand Down
33 changes: 0 additions & 33 deletions sdk/spring/azure-spring-boot-starter-active-directory/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,39 +204,6 @@ azure.activedirectory.environment=cn-v2-graph
Please refer to [azure-spring-boot-sample-active-directory-backend-v2](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend-v2/README.md) to see a sample configured to use the Microsoft Graph API.


### AAD Conditional Access Policy
Now azure-active-directory-spring-boot-starter has supported AAD conditional access policy, if you are using this policy, you need add **AADOAuth2AuthorizationRequestResolver** and **AADAuthenticationFailureHandler** to your WebSecurityConfigurerAdapter.
<!-- embedme ../azure-spring-boot/src/samples/java/com/azure/spring/aad/AADOAuth2LoginConditionalPolicyConfigSample.java#L26-L53 -->
```java
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AADOAuth2LoginConditionalPolicyConfigSample extends WebSecurityConfigurerAdapter {

@Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

@Autowired
ApplicationContext applicationContext;

@Override
protected void configure(HttpSecurity http) throws Exception {
final ClientRegistrationRepository clientRegistrationRepository =
applicationContext.getBean(ClientRegistrationRepository.class);

http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService)
.and()
.authorizationEndpoint()
.authorizationRequestResolver(new AADOAuth2AuthorizationRequestResolver(clientRegistrationRepository))
.and()
.failureHandler(new AADAuthenticationFailureHandler());
}
}
```
### Customize scopes in authorize requests

By default, `azure-spring-boot-starter-active-directory` configures scopes of `openid`, `profile` and `https://graph.microsoft.com/user.read` to implement OpenID Connect protocol and access of Microsoft Graph API. For customization of scope, developers need to configure in the `application.properties`:
Expand Down
16 changes: 14 additions & 2 deletions sdk/spring/azure-spring-boot-starter-active-directory/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@
<artifactId>spring-boot-starter-validation</artifactId>
<version>2.3.5.RELEASE</version> <!-- {x-version-update;org.springframework.boot:spring-boot-starter-validation;external_dependency} -->
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
<version>2.3.5.RELEASE</version> <!-- {x-version-update;org.springframework.boot:spring-boot-starter-webflux;external_dependency} -->
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot</artifactId>
Expand Down Expand Up @@ -70,6 +75,11 @@
<artifactId>jackson-databind</artifactId>
<version>2.11.3</version> <!-- {x-version-update;com.fasterxml.jackson.core:jackson-databind;external_dependency} -->
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId>
<version>0.9.13.RELEASE</version> <!-- {x-version-update;io.projectreactor.netty:reactor-netty;external_dependency} -->
</dependency>
</dependencies>

<build>
Expand All @@ -85,12 +95,14 @@
<include>com.fasterxml.jackson.core:jackson-databind:[2.11.3]</include> <!-- {x-include-update;com.fasterxml.jackson.core:jackson-databind;external_dependency} -->
<include>com.microsoft.azure:msal4j:[1.8.0]</include> <!-- {x-include-update;com.microsoft.azure:msal4j;external_dependency} -->
<include>com.nimbusds:nimbus-jose-jwt:[8.19]</include> <!-- {x-include-update;com.nimbusds:nimbus-jose-jwt;external_dependency} -->
<include>org.springframework:spring-web:[5.2.10.RELEASE]</include> <!-- {x-include-update;org.springframework:spring-web;external_dependency} -->
<include>org.springframework.boot:spring-boot-starter:[2.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.boot:spring-boot-starter;external_dependency} -->
<include>io.projectreactor.netty:reactor-netty:[0.9.13.RELEASE]</include> <!-- {x-include-update;io.projectreactor.netty:reactor-netty;external_dependency} -->
<include>org.springframework.boot:spring-boot-starter-validation:[2.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.boot:spring-boot-starter-validation;external_dependency} -->
<include>org.springframework.boot:spring-boot-starter-webflux:[2.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.boot:spring-boot-starter-webflux;external_dependency} -->
<include>org.springframework.boot:spring-boot-starter:[2.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.boot:spring-boot-starter;external_dependency} -->
<include>org.springframework.security:spring-security-config:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-config;external_dependency} -->
<include>org.springframework.security:spring-security-core:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-core;external_dependency} -->
<include>org.springframework.security:spring-security-web:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-web;external_dependency} -->
<include>org.springframework:spring-web:[5.2.10.RELEASE]</include> <!-- {x-include-update;org.springframework:spring-web;external_dependency} -->
</includes>
</bannedDependencies>
</rules>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package com.azure.test.aad.auth;

import com.azure.spring.aad.implementation.AzureClientRegistrationRepository;
import com.azure.spring.aad.implementation.DefaultClient;
import com.azure.spring.aad.implementation.IdentityEndpoints;
import com.azure.spring.autoconfigure.aad.AuthorizationServerEndpoints;
import com.azure.spring.autoconfigure.aad.AzureClientRegistrationRepository;
import com.azure.spring.autoconfigure.aad.DefaultClient;
import com.azure.test.utils.AppRunner;
import org.junit.jupiter.api.Test;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
Expand Down Expand Up @@ -34,17 +34,17 @@ public void clientRegistered() {
assertEquals("fake-client-id", azureClientRegistration.getClientId());
assertEquals("fake-client-secret", azureClientRegistration.getClientSecret());

IdentityEndpoints identityEndpoints = new IdentityEndpoints();
AuthorizationServerEndpoints authorizationServerEndpoints = new AuthorizationServerEndpoints();
assertEquals(
identityEndpoints.authorizationEndpoint("fake-tenant-id"),
authorizationServerEndpoints.authorizationEndpoint("fake-tenant-id"),
azureClientRegistration.getProviderDetails().getAuthorizationUri()
);
assertEquals(
identityEndpoints.tokenEndpoint("fake-tenant-id"),
authorizationServerEndpoints.tokenEndpoint("fake-tenant-id"),
azureClientRegistration.getProviderDetails().getTokenUri()
);
assertEquals(
identityEndpoints.jwkSetEndpoint("fake-tenant-id"),
authorizationServerEndpoints.jwkSetEndpoint("fake-tenant-id"),
azureClientRegistration.getProviderDetails().getJwkSetUri()
);
assertEquals(
Expand All @@ -58,7 +58,10 @@ public void clientRegistered() {
@Test
public void clientRequiresPermissionRegistered() {
try (AppRunner appRunner = createApp()) {
appRunner.property("azure.activedirectory.authorization.graph.scope", "Calendars.Read");
appRunner.property(
"azure.activedirectory.authorization.graph.scope",
"https://graph.microsoft.com/Calendars.Read"
);
appRunner.start();

ClientRegistrationRepository clientRegistrationRepository =
Expand All @@ -67,17 +70,23 @@ public void clientRequiresPermissionRegistered() {
ClientRegistration graphClientRegistration = clientRegistrationRepository.findByRegistrationId("graph");

assertNotNull(azureClientRegistration);
assertDefaultScopes(azureClientRegistration, "openid", "profile", "offline_access", "Calendars.Read");
assertDefaultScopes(
azureClientRegistration,
"openid", "profile", "offline_access", "https://graph.microsoft.com/Calendars.Read"
);

assertNotNull(graphClientRegistration);
assertDefaultScopes(graphClientRegistration, "Calendars.Read");
assertDefaultScopes(graphClientRegistration, "https://graph.microsoft.com/Calendars.Read");
}
}

@Test
public void clientRequiresMultiPermissions() {
try (AppRunner appRunner = createApp()) {
appRunner.property("azure.activedirectory.authorization.graph.scope", "Calendars.Read");
appRunner.property(
"azure.activedirectory.authorization.graph.scope",
"https://graph.microsoft.com/Calendars.Read"
);
appRunner.property(
"azure.activedirectory.authorization.arm.scope",
"https://management.core.windows.net/user_impersonation"
Expand All @@ -95,19 +104,22 @@ public void clientRequiresMultiPermissions() {
"openid",
"profile",
"offline_access",
"Calendars.Read",
"https://graph.microsoft.com/Calendars.Read",
"https://management.core.windows.net/user_impersonation"
);

assertNotNull(graphClientRegistration);
assertDefaultScopes(graphClientRegistration, "Calendars.Read");
assertDefaultScopes(graphClientRegistration, "https://graph.microsoft.com/Calendars.Read");
}
}

@Test
public void clientRequiresPermissionInDefaultClient() {
try (AppRunner appRunner = createApp()) {
appRunner.property("azure.activedirectory.authorization.azure.scope", "Calendars.Read");
appRunner.property(
"azure.activedirectory.authorization.azure.scope",
"https://graph.microsoft.com/Calendars.Read"
);
appRunner.start();

ClientRegistrationRepository clientRegistrationRepository =
Expand All @@ -117,15 +129,18 @@ public void clientRequiresPermissionInDefaultClient() {
assertNotNull(azureClientRegistration);
assertDefaultScopes(
azureClientRegistration,
"openid", "profile", "offline_access", "Calendars.Read"
"openid", "profile", "offline_access", "https://graph.microsoft.com/Calendars.Read"
);
}
}

@Test
public void aadAwareClientRepository() {
try (AppRunner appRunner = createApp()) {
appRunner.property("azure.activedirectory.authorization.graph.scope", "Calendars.Read");
appRunner.property(
"azure.activedirectory.authorization.graph.scope",
"https://graph.microsoft.com/Calendars.Read")
;
appRunner.start();

AzureClientRegistrationRepository azureClientRegistrationRepository =
Expand Down Expand Up @@ -155,40 +170,44 @@ public void aadAwareClientRepository() {
@Test
public void defaultClientWithAuthzScope() {
try (AppRunner appRunner = createApp()) {
appRunner.property("azure.activedirectory.authorization.azure.scope", "Calendars.Read");
appRunner.property(
"azure.activedirectory.authorization.azure.scope",
"https://graph.microsoft.com/Calendars.Read"
);
appRunner.start();

AzureClientRegistrationRepository azureClientRegistrationRepository =
appRunner.getBean(AzureClientRegistrationRepository.class);
assertDefaultScopes(
azureClientRegistrationRepository.defaultClient(),
"openid", "profile", "offline_access", "Calendars.Read"
"openid", "profile", "offline_access", "https://graph.microsoft.com/Calendars.Read"
);
}
}

@Test
public void customizeUri() {
public void customizeEnvironment() {
try (AppRunner appRunner = createApp()) {
appRunner.property("azure.activedirectory.uri", "http://localhost/");
appRunner.property("azure.activedirectory.environment", "cn-v2-graph");
appRunner.start();

AzureClientRegistrationRepository azureClientRegistrationRepository =
appRunner.getBean(AzureClientRegistrationRepository.class);
ClientRegistration azureClientRegistration =
azureClientRegistrationRepository.findByRegistrationId("azure");

IdentityEndpoints endpoints = new IdentityEndpoints("http://localhost/");
AuthorizationServerEndpoints authorizationServerEndpoints =
new AuthorizationServerEndpoints("https://login.partner.microsoftonline.cn");
assertEquals(
endpoints.authorizationEndpoint("fake-tenant-id"),
authorizationServerEndpoints.authorizationEndpoint("fake-tenant-id"),
azureClientRegistration.getProviderDetails().getAuthorizationUri()
);
assertEquals(
endpoints.tokenEndpoint("fake-tenant-id"),
authorizationServerEndpoints.tokenEndpoint("fake-tenant-id"),
azureClientRegistration.getProviderDetails().getTokenUri()
);
assertEquals(
endpoints.jwkSetEndpoint("fake-tenant-id"),
authorizationServerEndpoints.jwkSetEndpoint("fake-tenant-id"),
azureClientRegistration.getProviderDetails().getJwkSetUri()
);
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package com.azure.test.aad.auth;

import com.azure.spring.aad.implementation.AzureClientRegistrationRepository;
import com.azure.spring.aad.implementation.AzureOAuth2AuthorizedClientRepository;
import com.azure.spring.autoconfigure.aad.AzureClientRegistrationRepository;
import com.azure.spring.autoconfigure.aad.AzureOAuth2AuthorizedClientRepository;
import com.azure.test.utils.AppRunner;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package com.azure.test.aad.auth;

import com.azure.spring.aad.implementation.AzureClientRegistrationRepository;
import com.azure.spring.aad.implementation.AzureOAuth2AuthorizationCodeGrantRequestEntityConverter;
import com.azure.spring.autoconfigure.aad.AzureClientRegistrationRepository;
import com.azure.spring.autoconfigure.aad.AzureOAuth2AuthorizationCodeGrantRequestEntityConverter;
import com.azure.test.utils.AppRunner;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
Expand Down
1 change: 1 addition & 0 deletions sdk/spring/azure-spring-boot/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

## 3.0.0-beta.1 (Unreleased)
### Breaking Changes
- Conditional access policy is not supported temporary, we may recover it in the future.
- Configuration items like `spring.security.oauth2.client.xxx` is not supported anymore. Please use the following configuration items instead:
```
azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
Expand Down
Loading