[Feature Request] Spring boot azure active directory multiple client-id

[ObakeFilter]

Query/Question
I have a Spring Boot app that use azure active directory with front-end authentication (using AADAppRoleStatelessAuthenticationFilter, similar to this w/o using a login page (it's merly a REST api with two Post endpoints).

I would like to extend it so I could be able to authenticate using multiple sets of client ids, client secrets & app uris, meaning, that each request sent to a specific host will be mapped to it's own AADAppRoleStatelessAuthenticationFilter instance for authentication purposes.
Problem I am having is that trying to autowire multiple instances of AADAppRoleStatelessAuthenticationFilter will end up creating using only 1 set of configurations, even when I used 2 configuration files with @propertysource, every autowired class ended up being created from the same configurations (app-id-uri, secret etc....) and obviously failed to authenticate requests for all other applications.

How can I achieve multi-app authentication?

This is my attempt for breaking the security configuration to different classes:

    public static final String HTTPS_SUFFIX = ":443";
    public static final String REPLACEMENT_REGEX = "^http[s]?://";

    @Configuration
    @PropertySource(factory = YamlPropertySourceFactory.class, value = "classpath:default-${profile.name}.yml")
    @Order(1)
    public static class SecConfig1 extends WebSecurityConfigurerAdapter {
        @Value("${azure.activedirectory.app-id-uri}")
        String appIdUri;
        @Autowired
        AADAppRoleStatelessAuthenticationFilter aadAppRoleStatelessAuthenticationFilter;

        @Override
        protected void configure(HttpSecurity http) {
            http.requestMatcher(new RequestHeaderRequestMatcher("Host", appIdUri.replaceFirst(REPLACEMENT_REGEX, "") + HTTPS_SUFFIX))
                    .addFilterBefore(aadAppRoleStatelessAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        }
    }
    @Configuration
    @PropertySource(factory = YamlPropertySourceFactory.class, value = "classpath:gcc-${profile.name}.yml")
    @Order(2)
    public static class SecConfig2 extends WebSecurityConfigurerAdapter {
        @Value("${azure.activedirectory.app-id-uri}")
        String appIdUri;
        @Autowired
        AADAppRoleStatelessAuthenticationFilter aadAppRoleStatelessAuthenticationFilterGcc;

        @Override
        protected void configure(HttpSecurity http) {
            http.requestMatcher(new RequestHeaderRequestMatcher("Host", appIdUri.replaceFirst(REPLACEMENT_REGEX, "") + HTTPS_SUFFIX))
                    .addFilterBefore(aadAppRoleStatelessAuthenticationFilterGcc, UsernamePasswordAuthenticationFilter.class);
        }
    }

public class YamlPropertySourceFactory implements PropertySourceFactory {

    @Override
    public PropertySource<?> createPropertySource(@Nullable String name, EncodedResource resource) throws IOException {
        Properties propertiesFromYaml = loadYamlIntoProperties(resource);
        String sourceName = name != null ? name : resource.getResource().getFilename();
        return new PropertiesPropertySource(sourceName, propertiesFromYaml);
    }

    private Properties loadYamlIntoProperties(EncodedResource resource) throws FileNotFoundException {
        try {
            YamlPropertiesFactoryBean factory = new YamlPropertiesFactoryBean();
            factory.setResources(resource.getResource());
            factory.afterPropertiesSet();
            return factory.getObject();
        } catch (IllegalStateException e) {
            // for ignoreResourceNotFound
            Throwable cause = e.getCause();
            if (cause instanceof FileNotFoundException)
                throw (FileNotFoundException) e.getCause();
            throw e;
        }
    }
}

And my yaml configuration files both look like this:

spring:
  security:
    oauth2:
      client:
        registration:
          azure:
            client-id: XXX
            client-secret: YYYY

azure:
  activedirectory:
    tenant-id: ZZZ
    client-id: XXX
    client-secret: YYY
    session-stateless: true
    app-id-uri: https://example.com
    user-group:
      allowed-groups: Users

Setup (please complete the following information if applicable):

• OS: Alpine
• IDE : IntelliJ Idea Ultimate
• azure-active-directory-spring-boot-starter 2.3.5

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Query Added
• Setup information Added

[joshfree]

@stliu could you please take a look?

[chenrujun]

Hi, @ObakeFilter

Thank you for reaching out.
Now multi client-id is not supported yet.
We will investigate whether it's necessary to implement this feature and how to implement.

We will update the process in this issue.

[ObakeFilter]

Hi, @ObakeFilter

Thank you for reaching out.
Now multi client-id is not supported yet.
We will investigate whether it's necessary to implement this feature and how to implement.

We will update the process in this issue.

Thank you, are you familiar of any possible workaround that can be used to instantiate multiple AADAppRoleStatelessAuthenticationFilter as of today?

[chenrujun]

Hi, @ObakeFilter

1. AADAppRoleStatelessAuthenticationFilter is deprecated. Could you please use resource-server instead?
2. Now resource-server still not support multi client-id.
3. Sorry that I can not get work around in a short time. And now I'm busy with other tasks. This issue is in out roadmap. Could you please investigate by yourself? And PR is welcome.

[chenrujun]

Closing this issue, because we decide to deprecate azure-spring-boot-starter-active-directory. Just write sample to demonstrate how to use Azure Active Directory in Spring Boot application in this repo: https://github.com/Azure-Samples/spring-boot-application-with-azure-active-directory