JHipster with OpenIDConnect Authentication - spring-boot

Do you have any example configuration for OpenIDConnect (Microsoft ADFS) configurations for JHipster generated application?
OKTA configuration is working fine, but pointing to Microsoft ADFS config is failing.
My Config:
security:
basic:
enabled: false
oauth2:
client:
access-token-uri: https://<domain.com>/adfs/oauth2/token
user-authorization-uri: https://<domain.com>/adfs/oauth2/authorize
client-id: sada-sdasd-asds-adas
client-secret: jhasdsadsasadasdsadsa
client-authentication-scheme: form
scope: openid profile email
resource:
user-info-uri: https://<domain.com>/adfs/userinfo
prefer-token-info: false

I am currently working on this also. I get to the login screen but then have some problems when redirecting back to the JHipster app.
The steps you need to have (which I've also done and are working up to ...) are:
Create a new application in the azure portal as described in registration here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code
In order to get the links you need, you need the tenant ID, which you can get following these steps: https://techcommunity.microsoft.com/t5/Office-365/How-do-you-find-the-tenant-ID/td-p/89018
The authorize, token and userinfo links you get based on tenant id like this: https://login.microsoftonline.com/{your-tenant-id}/.well-known/openid-configuration
Hope it helps!

Related

springboot oauth2 client azure active directory b2c issuer-uri problem

i set up spring boot with oauth2 client and here is my properties:
spring:
security:
oauth2:
client:
registration:
azuread:
authorization-grant-type: authorization_code
client-id: 'client id'
client-secret: 'secret'
provider: azuread
scope: openid
client-name: demo
user-flows:
sign-up-or-sign-in: <policy name>
provider:
azuread:
issuer-uri: https://{clientId}.b2clogin.com/{clientId}.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
when spring start up it complains:
"The Issuer provided in the configuration metadata did not match the requested issuer"
i checked implementation and found that azure b2c issuer-uri does not have policy or userflow in issuer-uri but we have to set policy name in spring configuration as path variable and after spring rest call to https://{clientId}.b2clogin.com/{clientId}.onmicrosoft.com//v2.0/.well-known/openid-configuration , spring will check response to compare it with auzre response in which they are not the same
expected:
https://{clientId}.b2clogin.com/{clientId}.onmicrosoft.com//v2.0/
result:
https://{clientId}.b2clogin.com/{clientId}.onmicrosoft.com/v2.0/
tried spring boot oauth2 reference
check azure b2c AD doc and spring sample , but i don't want to use spring boot azure AD b2c starter, only using oauth2 client
The error you are getting is due to incorrect metadata.The metadata should have tenantId rather than clientId.
It should be https://{tenantId}.b2clogin.com/{tenantId}.onmicrosoft.com/{policy-name}/v2.0/.well-known/openid-configuration where tenantId is the name of your Azure Active Directory Tenant.

OAuth2.0 Spring Security

I have a question regarding the oauth2.0 openId and spring boot. I am developing a personal project, and I have deployed a Keycloak instance as an Auth server and I am writing code for the resource server. I would like to ask you some questions regarding security. As the Spring Docs say, we need only the issuer-uri of the Auth Server and the Resource Server will use this property to further self-configure, discover the authorization server’s public keys, and subsequently validate incoming JWTs. For example a resource server will have to specify the following:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: <uri>
However, this means that any resource server can use my deployed Auth Server to self configure just by knowing the issuer-uri is there any way to protect the Auth Server from resource server APIs(that are external to my application)?
Thank you in advance!

Spring Security Microsoft Oauth2 Login Errors

I'm attempting to access Microsoft Account oauth without any Azure AD accounts, but I am receiving an unauthorized_client error before the redirect back to my app.
Here is my yml configuration for spring security:
spring:
security:
oauth2:
client:
registration:
microsoft:
client-id: [my app registration client id]
client-secret: [my app registration secret id]
scope: profile, openid, https://graph.microsoft.com/User.Read
client-name: Microsoft
authorization-grant-type: authorization_code
provider: microsoft
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
provider:
microsoft:
authorization-uri: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
key-set-uri: https://login.microsoftonline.com/consumers/discovery/v2.0/keys
token-uri: https://login.microsoftonline.com/consumers/oauth2/v2.0/token
user-info-uri: https://graph.microsoft.com/oidc/userinfo
userNameAttribute: sub
issuer-uri: https://login.microsoftonline.com/${app.oauth2.tenant-id}/v2.0
app:
oauth2:
tenant-id: [my tenant id]
Client and secret ids match within both yml and azure portal. SSO fails both locally and when deployed. Is there any additional configuration I need to do here in order to get this working or do default Microsoft clients just not work whatsoever with java oauth?
There are actually several "features" in Microsoft's SSO implementation preventing OOTB functionality.
Issue 1: Token contains an extra nonce that violates the JWT specification
Resolution: Create a new scope under Expose an API. This scope can be named anything. Add this scope into your API Permissions section and update your scope property for the client registration to include the new scope.
More information on this issue can be found here: https://xsreality.medium.com/making-azure-ad-oidc-compliant-5734b70c43ff
Issue 2: Invalid scopes
Resolution: Don't include any of the graph api scopes. They currently do not work for Microsoft accounts (as of 2/16/21).
Issue 3: Invalid Issuer
Resolution: Use the issuer that Microsoft is currently exposing under their well known endpoints api for whichever api you are using.
Consumer: https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration
Common: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
I don't believe common will currently ever work since only consumer endpoints have a tenantId and that is included in the documented issuer string (as of 2/16/21), but the api has been in flux for the consumer endpoints with several different bugs. On 2/15/21, the issuer was hardcoded to "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0" regardless of tenantId and as documented in the above linked article, it was "https://sts.windows.net/407b9272-20f5-421c-a25f-e7a189309c4b/" as of 8/21/19. Currently (2/16/21), the issuer correctly includes the tenantId.
*** Update 2/18/21: despite the well-known endpoint saying the issuer accepts a tenant id, the issuer is still hard-coded to that tenantId I posted above.
Resulting YAML:
spring:
security:
oauth2:
client:
registration:
microsoft:
client-id: [my app registration client id]
client-secret: [my app registration secret id]
scope: profile, openid, [my custom scope with the full api prefix]
client-name: Microsoft
authorization-grant-type: authorization_code
provider: microsoft
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
provider:
microsoft:
authorization-uri: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
key-set-uri: https://login.microsoftonline.com/consumers/discovery/v2.0/keys
token-uri: https://login.microsoftonline.com/consumers/oauth2/v2.0/token
user-info-uri: https://graph.microsoft.com/oidc/userinfo
userNameAttribute: sub
issuer-uri: https://login.microsoftonline.com/${app.oauth2.tenant-id}/v2.0
app:
oauth2:
tenant-id: [my tenant id]
For the value [my custom scope with the full api prefix], make sure to copy the full scope name including the api://[app id].

Spring Boot - How to create a standalone authenthication MICROSERVICE?

I wrote my first backend spring boot application.
I also created a seperate frontend application.
I would like to create a standalone basic authentication microservice.
The authentication thechnology is currently not relevant. It can use JWT, OUTH2, OKTA, whatever.
I emphsize the MICROSERVICE, rather than adding classes to an application code.
This is because all that I could find on the web and in several books was adding this authentication part as an embedded code in a whole spring boot application.
I would like to build an authentication seperate microservice, such the my other microservices (currently I have only one SP, but there will be more), will be able to use it in order to authenticate the users.
I hope I explained myself right :)
Could you please give me pointer for the correct implementation, or some updated tutorial which can help me accomplish this task?
UPDATE:
I have found a really great and up to date tutorial:
https://dzone.com/articles/step-by-step-a-simple-spring-boot-microservices-ba
Enjoy!
Thanks!
As you need an authentication service, you could work on validating the token generated by the authentication microservice.
You could:
Return a token from your authentication microservice;
Create a token validation service in your main microservice
The link below shows how to implement the authentication application in a manner that it works like an authentication gateway through JWT:
https://medium.com/#mool.smreeti/microservices-with-spring-boot-authentication-with-jwt-and-spring-security-6e10155d9db0
Alternatively, you could add a 3rd party solution to be linked to Spring Security. For this option, something like the code bellow in application.yml should work:
spring:
security:
oauth2:
client:
registration:
sts:
provider: sts
client-id: ${STS_CLIENT_ID}
client-secret: ${STS_SECRET_ID}
client-authentication-method: post
authorization-grant-type: client_credentials
provider:
sts:
token-uri: ${STS_URL}
In my opinion, both ways are valid. It depends on your context and scope.

How to set Redirect URI for Spring Boot App on App Service using Azure AD

I followed the below tutorial to deploy a Spring Boot web application locally that uses Azure AD:
https://dev.to/azure/using-spring-security-with-azure-active-directory-mga
This works well locally,and I have deployed the application to Azure App Service. To redirect correctly for Oauth I am configuring the Redirect URI on App Service, the Azure GUI expects an OAuth Redirect URI that begins with "https://" and Spring boot expects a redirect URI with the format "http://[domain]:[port]/login/oauth2/code/azure".
Is there a way to configure Spring to expect a URI beginning with "https://"
I tried updating the below application property which didn't help. There is workaround to use Type=Public client/native with an "http" URI. Is there a better solution?
spring.security.oauth2.client.registration.azure.redirect-uri-template={baseUrl}/login/oauth2/code/{registrationId}
In App Service, the front-ends are offloading the SSL. For Tomcat and WildFly images we added a filter that takes care of hydrating the context at the web worker machine.
Unfortunately, in cases when the customer brings their own Web Server such as Spring Boot, they will need to add custom logic like the one from our filters to workaround this.
Other option, is to rely on App Service to do the authentication by using App Service EasyAuth feature: https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
With the new azure-spring-boot-starter-active-directory dependency for Spring you can add the azure.activedirectory.redirect-uri-template property.
Example application.yml:
azure:
activedirectory:
tenant-id: <id>
client-id: <id>
client-secret: <secret>
redirect-uri-template: https://app.example.com/login/oauth2/code/
Update for Spring-Cloud-Azure Version 4.x
Example application.yml:
spring:
cloud:
azure:
active-directory:
enabled: true
profile:
tenant-id: <tenant_id>
credential:
client-id: <client_id>
client-secret: <secret>
redirect-uri-template: https://app.example.com/login/oauth2/code/

Resources