This sample illustrates how to protect a Java web API by restricting access to its resources to authorized accounts only.
- Obtain the access token from the HTTP request header.
- Use
JwtDecoder
to parse the access token intoJwt
. - Verify
aud
,iss
,nbf
,exp
claims in access token. - Extract information from JWT in
AadOAuth2AuthenticatedPrincipal
object after a successful verification. - Save the
AADOAuth2AuthenticatedPrincipal
into SecurityContext.
-
In this section, you register your web API in App registrations in the Azure portal.
-
Search for and select your tenant in Azure Active Directory.
-
Under Manage In the same tenant, select App registrations -> New registration.
-
The registered application name is filled into
webapiB
(For better distinguish between Resource Server and Resource Server Obo, this application is named webapiB), select Accounts in this organizational directory only, click the register button. -
Under webapiB application, select Certificates & secrets -> new client secret, expires select Never, click the add button, remember to save the secrets here and use them later.
-
Under webapiB application, select API permissions -> Grant admin consent for ..., then choose Yes for save.
-
Under webapiB application, select Expose an API -> Add a scope, Use the default Application ID URI, click Save and continue button.
-
Wait the page refresh finished. Then set the Scope name to
WebApiB.ExampleScope
. -
Expose an API by adding
appRoles
, See Example: Application app role for more information about app roles setting.{ "allowedMemberTypes": [ "Application" ], "description": "WebApiB ClientCredential Example Scope", "displayName": "WebApiB ClientCredential Example Scope", "id": "d2bec026-b75f-418d-9493-8462f54f25d9", "isEnabled": true, "value": "WebApiB.ClientCredential.ExampleScope" }
See Expose scoped permission to web api for more information about web api.
#If we configure the spring.cloud.azure.active-directory.client-id or spring.cloud.azure.active-directory.app-id-uri will be to check the audience.
#In v2.0 tokens, this is always client id of the app, while in v1.0 tokens it can be the client id or the application id url used in the request.
#If you are using v1.0 tokens, configure both to properly complete the audience validation.
spring:
cloud:
azure:
active-directory:
enabled: true
credential:
client-id: ${AZURE_CLIENT_ID}
app-id-uri: ${APP_ID_URI}
# Under sdk/spring project root directory
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server
mvn spring-boot:run
We could use Postman to simulate a Web APP to send a request to a Web API.
- Web API B response successfully.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=<web-apiB-client-id>&scope=<app-id-uri>/Obo.WebApiB.ExampleScope&client_secret=<web-apiB-client-secret>&username=<username>&password=<password>' 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8082/webapiB -H "Authorization: Bearer <access-token>"
- Verify response:
Response from webApiB.
- Web API B response failed.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=<web-apiB-client-id>&scope=User.Read&client_secret=<web-apiB-client-secret>&username=<username>&password=<password>' 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8082/user -H "Authorization: Bearer <access-token>" -I
- Verify response:
error:401