Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update AAD Sample #248

Merged
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Sample for Azure AD B2C Resource server Spring Boot client library for Java

## Key concepts
This sample illustrates how to use `azure-spring-boot-starter-active-directory-b2c` package to work in a resource server and valiate tokens.
This sample illustrates how to use `spring-cloud-azure-starter-active-directory-b2c` package to work in a resource server and valiate tokens.

1. Constructs trusted iss by configuring tenant id.
2. Obtain the access token from the HTTP request header.
Expand Down Expand Up @@ -96,7 +96,7 @@ spring:

### Run with Maven
```
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory-b2c/aad-b2c-resource-server
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server
mvn spring-boot:run
```

Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Sample for Azure AD B2C Spring Boot client library for Java

## Key concepts
This sample illustrates how to use `azure-spring-boot-starter-active-directory-b2c` package to work with OAuth 2.0 and OpenID Connect protocols with Azure Active Diretory B2C.
This sample illustrates how to use `spring-cloud-azure-starter-active-directory-b2c` package to work with OAuth 2.0 and OpenID Connect protocols with Azure Active Diretory B2C.

## Getting started

Expand Down Expand Up @@ -61,7 +61,7 @@ spring:

### Run with Maven
```
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory-b2c/aad-b2c-web-application
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-web-application
mvn spring-boot:run
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ to get it working with your Azure AD tenant on both sides.

### Register your application with your Azure Active Directory Tenant

Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/v1-protocols-openid-connect-code#register-your-application-with-your-ad-tenant).
Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).

### Configure appRoles

Expand All @@ -32,27 +32,30 @@ For the test SPA provided with this example you should create the following role
"allowedMemberTypes": [
"User"
],
"description": "Full admin access",
"displayName": "Admin",
"id": "2fa848d0-8054-4e11-8c73-7af5f1171001",
"isEnabled": true,
"description": "Full admin access",
"lang": null,
"origin": "Application",
"value": "Admin"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Normal user access",
"displayName": "UserRule",
"id": "f8ed78b5-fabc-488e-968b-baa48a570001",
"isEnabled": true,
"description": "Normal user access",
"lang": null,
"origin": "Application",
"value": "UserRule"
}
],
```

After you've created the roles go to your Enterprise Application in Azure Portal, select "Users and groups" and
assign the new roles to your Users (assignment of roles to groups is not available in the free tier of AAD).
After you've created the roles, go to **Azure Active Directory** and select **Users** to add two new users named "Admin" and "UserRule". Then back to select **Enterprise applications** in the left-hand navigation pane, click on your created application and select **Users and groups**, finally assign the new roles to your new Users (assignment of roles to groups is not available in the free tier of AAD).

Furthermore enable the implicit flow in the manifest for the demo application
(or if you have SPAs calling you):
Expand Down Expand Up @@ -95,7 +98,7 @@ data: {

### Run with Maven
```shell
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-resource-server-by-filter-stateless
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless
mvn spring-boot:run
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,18 @@ terraform -chdir=./terraform apply -auto-approve

```

#### Run with Powershell

```shell
# In the root directory of the sample
# Initialize your Terraform configuration
terraform -chdir=terraform init

# Apply your Terraform Configuration
terraform -chdir=terraform apply -auto-approve

```

It may take a few minutes to run the script. After successful running, you will see prompt information like below:

```shell
Expand All @@ -78,6 +90,13 @@ Running the command below to export environment values:
```shell
source ./terraform/setup_env.sh
```

#### Run with Powershell

```shell
. terraform\setup_env.ps1
```

You will see output like below, save this output to use later.
```shell

Expand All @@ -98,7 +117,7 @@ mvn clean spring-boot:run
```

## Verify This Sample

refer to [Check the authentication and authorization](../README.md#check-the-authentication-and-authorization)

## Clean Up Resources
After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing.
Expand All @@ -111,3 +130,10 @@ To destroy the resources you created.
```shell
terraform -chdir=./terraform destroy -auto-approve
```

#### Run with Powershell

```shell
terraform -chdir=terraform destroy -auto-approve
```

Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,6 @@ terraform {
source = "hashicorp/random"
version = "3.1.0"
}
null = {
source = "hashicorp/null"
version = "3.1.0"
}
}
}

Expand Down Expand Up @@ -119,10 +115,3 @@ resource "azuread_app_role_assignment" "user_role" {
resource_object_id = azuread_service_principal.resourceserver.object_id
}

resource "null_resource" "set_env" {
depends_on = [azuread_service_principal.resourceserver]

provisioner "local-exec" {
command = "/bin/bash set_identifier_uris.sh"
}
}

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
$env:AZURE_TENANT_ID=$(terraform -chdir=terraform output -raw AZURE_TENANT_ID)

# set identifier_uris
echo "----------update identifier-uris start----------"
az ad app update --id $env:AZURE_CLIENT_ID --identifier-uris api://$env:AZURE_CLIENT_ID
echo "----------update identifier-uris completed----------"

$env:AZURE_CLIENT_ID=$(terraform -chdir=terraform output -raw AZURE_CLIENT_ID)
$env:USER_NAME=$(terraform -chdir=terraform output -raw USER_NAME)
$env:USER_PASSWORD=$(terraform -chdir=terraform output -raw USER_PASSWORD)

echo AZURE_CLIENT_ID=$env:AZURE_CLIENT_ID
echo AZURE_TENANT_ID=$env:AZURE_TENANT_ID

echo "--------created user--------"
echo USER_NAME=$env:USER_NAME
echo USER_PASSWORD=$env:USER_PASSWORD
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID)

# set identifier_uris
echo "----------update identifier-uris start----------"
az ad app update --id $AZURE_CLIENT_ID --identifier-uris api://$AZURE_CLIENT_ID
echo "----------update identifier-uris completed----------"

export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID)
export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME)
export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ products:
# Authentication filter sample for Azure AD Spring Boot Starter client library for Java

## Key concepts
This sample illustrates how to use `azure-spring-boot-starter-active-directory` package to plugin JWT token filter into Spring Security filter chain. The filter injects `UserPrincipal` object that is associated with the thread of the current user request. User's AAD membership info, along with token claimsset, JWS object etc. are accessible from the object which can be used for role based authorization. Methods like `isMemberOf` is also supported.
This sample illustrates how to use `spring-cloud-azure-starter-active-directory` package to plugin JWT token filter into Spring Security filter chain. The filter injects `UserPrincipal` object that is associated with the thread of the current user request. User's AAD membership info, along with token claimsset, JWS object etc. are accessible from the object which can be used for role based authorization. Methods like `isMemberOf` is also supported.

## Getting started
The sample is composed of two layers: Angular JS client and Spring Boot RESTful Web Service. You need to make some changes to get it working with your Azure AD tenant on both sides.
Expand Down Expand Up @@ -43,7 +43,7 @@ or download and extract the repository .zip file, and navigate to `azure-spring-
---
### Step 2: Register the sample with your Azure Active Directory tenant

To register it follow the steps below or follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/v1-protocols-oauth-code#register-your-application-with-your-ad-tenant).
To register it follow the steps below or follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).

#### Choose the Azure AD tenant where you want to create your applications

Expand Down Expand Up @@ -97,52 +97,35 @@ spring:
cloud:
azure:
active-directory:
enabled: true
credential:
client-id: ${AZURE_CLIENT_ID}
client-secret: ${AZURE_CLIENT_SECRET}
profile:
tenant-id: ${AZURE_TENANT_ID}
redirect-uri-template: http://localhost:8080/
# groups that you created in your Azure AD tenant
user-group:
allowed-group-names: group1,group2
# Optional, the default value is
# environment: global
enabled: true
credential:
client-id: ${AZURE_CLIENT_ID}
client-secret: ${AZURE_CLIENT_SECRET}
profile:
tenant-id: ${AZURE_TENANT_ID}
user-group:
allowed-group-names: group1,group2
redirect-uri-template: http://localhost:8080/
jwt-connect-timeout: 5000
Netyyyy marked this conversation as resolved.
Show resolved Hide resolved
```



1. If your azure account follows format xxx@xxx.partner.onmschina.cn, configure property `environment: cn` to use [Azure China][azure-china], the default value is `global`.

2. Put Application ID and client-secret in `client-id` and `client-secret` respectively e.g.
1. Put Application ID and client-secret in `client-id` and `client-secret` respectively e.g.
```properties
tenant-id: xxxxxx-your-client-id-xxxxxx
client-id: xxxxxx-your-client-secret-xxxxxx
```

3. List all the AAD groups `ActiveDirectoryGroups` that you want to have a Spring Security role object mapping to it. The role objects can then be used to manage access to resources that is behind Spring Security. e.g.
```properties
# groups that you created in your Azure AD tenant
allowed-group-names: group1,group2
```

4. (Optional) If you want to configure oauth2 redirect uri, please configure by :
```properties
redirectUriTemplate: xxxxxx-your-redirect-uri-xxxxxx
```

---
### Step 4: Change Role_group1 to your group
1. You can use `@PreAuthorize` annotation or `UserPrincipal` to manage access to web API based on user's group membership. You will need to change `ROLE_group1` to groups you want to allow to access the API in `TodoListController.java` or you will get "Access is denied".
### Step 4: Create Role_group1 to your group
1. In the left-hand navigation pane, select **Groups**, and then select **New group** to create a new group named `group1`, choose your tenant as **Owners** and Spring Boot Sample as **Members**.

---

### Step 5: Give it a run

* Run with Maven
```
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-resource-server-by-filter
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter
mvn spring-boot:run
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,18 @@ terraform -chdir=./terraform apply -auto-approve

```

#### Run with Powershell

```shell
# In the root directory of the sample
# Initialize your Terraform configuration
terraform -chdir=terraform init

# Apply your Terraform Configuration
terraform -chdir=terraform apply -auto-approve

```

It may take a few minutes to run the script. After successful running, you will see prompt information like below:

```shell
Expand All @@ -79,6 +91,12 @@ Running the command below to export environment values:
source ./terraform/setup_env.sh
```

#### Run with Powershell

```shell
. terraform\setup_env.ps1
```

You will see output like below, save this output of `created user` to login.
```shell
...
Expand Down Expand Up @@ -111,3 +129,9 @@ To destroy the resources you created.
```shell
terraform -chdir=./terraform destroy -auto-approve
```

#### Run with Powershell

```shell
terraform -chdir=terraform destroy -auto-approve
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
$env:AZURE_CLIENT_ID=$(terraform -chdir=terraform output -raw AZURE_CLIENT_ID)
$env:AZURE_TENANT_ID=$(terraform -chdir=terraform output -raw AZURE_TENANT_ID)
$env:AZURE_CLIENT_SECRET=$(terraform -chdir=terraform output -raw AZURE_CLIENT_SECRET)
$env:USER_NAME=$(terraform -chdir=terraform output -raw USER_NAME)
$env:USER_PASSWORD=$(terraform -chdir=terraform output -raw USER_PASSWORD)

echo AZURE_CLIENT_ID=$env:AZURE_CLIENT_ID
echo AZURE_TENANT_ID=$env:AZURE_TENANT_ID
echo AZURE_CLIENT_SECRET=$env:AZURE_CLIENT_SECRET

echo "--------created user--------"
echo USER_NAME=$env:USER_NAME
echo USER_PASSWORD=$env:USER_PASSWORD
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ See [Configure your middle-tier Web API] or [Configure Web API] for more informa

### Run with Maven
```shell
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-resource-server
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server
mvn spring-boot:run
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ spring:

### Run with Maven
```shell
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-resource-server-obo
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo
mvn spring-boot:run
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ spring:
### Run with Maven
```shell
# Under sdk/spring project root directory
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-resource-server
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server
mvn spring-boot:run
```

Expand All @@ -82,7 +82,7 @@ Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw
```

### Check the authentication and authorization
1. Access `http://localhost:<your-Configured-server-port>/file` link: success.
1. Access `http://localhost:<your-Configured-server-port>/webapiB` link: success.
2. Access `http://localhost:<your-Configured-server-port>/user` link: fail with error message.

## Troubleshooting
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# OAuth 2.0 Sample for Azure AD Spring Boot Starter client library for Java

## Key concepts
This sample illustrates how to use `azure-spring-boot-starter-active-directory` package to work with OAuth 2.0 and OpenID Connect protocols on Azure. This sample will use Microsoft Graph API to retrieve user information.
This sample illustrates how to use `spring-cloud-azure-starter-active-directory` package to work with OAuth 2.0 and OpenID Connect protocols on Azure. This sample will use Microsoft Graph API to retrieve user information.

## Getting started

Expand Down Expand Up @@ -106,7 +106,7 @@ spring:

### Run with Maven
```shell
cd azure-spring-boot-samples/aad/azure-spring-boot-starter-active-directory/aad-web-application
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application
mvn spring-boot:run

# Or use the below command to the AAD conditional access filter.
Expand Down