How to configure Azure AD B2C ?

[ch4mpy]

Created from this other question asked by @veganchamp.

I'm getting the exception below
(I've replaced real tenantId with TID)

Caused by: java.lang.IllegalStateException: The Issuer "https://sys-login.lvgig.co.uk/TID/" provided in the configuration metadata did not match the requested issuer "https://sys-login.lvgig.co.uk/TID/B2C_1A_RPSaveQA3/"
at org.springframework.util.Assert.state(Assert.java:97)
at org.springframework.security.oauth2.client.registration.ClientRegistrations.withProviderConfiguration(ClientRegistrations.java:246)

The issuer-uri looks good: https://sys-login.lvgig.co.uk/TID/B2C_1A_RPSaveQA3/.well-known/openid-configuration
giving:

{
"issuer": "https://sys-login.lvgig.co.uk/TID/",
"authorization_endpoint": "https://sys-login.lvgig.co.uk/TID/b2c_1a_rpsaveqa3/oauth2/authorize",
...
}

[ch4mpy]

Spring Boot configuration properties should be set as follow:

• just issuer-uri with what you find in tokens as iss claim (exactly, even case and trailing slash, if any, are important), but only if OpenID configuration can be found by just adding .well-known/openid-configuration to it (no added or modifiedpath segment in between)
• jwk-set-endpoint, authorization-uri, token-uri and user-info-uri with what you find in OpenID configuration (what you get from https://sys-login.lvgig.co.uk/TID/B2C_1A_RPSaveQA3/.well-known/openid-configuration)

Setting just issuer-uri is possible only if the OpenID configuration is available from ${issuer-uri}/.well-known/openid-configuration (or ${issuer-uri}.well-known/openid-configuration if issuer-uri ends with a /). In that case, Spring auto-configures jwk-set-endpoint, authorization-uri, token-uri and user-info-uri with what it finds in the OpenID configuration.

But in your case, it seems that a path segment is missing in issuer-uri for Spring auto-configuration to be possible (it seems to be https://sys-login.lvgig.co.uk/TID/ and not https://sys-login.lvgig.co.uk/TID/B2C_1A_RPSaveQA3). In such a case, you should provide with all properties in the conf.

Please double check one of your access token iss claim (you can decode it with a tool like https://jwt.io if it's a JWT or send it to the introspection endpoint, whatever the format).

If the access token iss claim is https://sys-login.lvgig.co.uk/TID/B2C_1A_RPSaveQA3 or https://sys-login.lvgig.co.uk/TID/B2C_1A_RPSaveQA3/, your conf should look like:

tenant: change-me
# double check that
# - this value is EXACTLY what you get as "iss" claim in tokens (even case and trailing slash are important)
# - OpenID configuration is available from https://sys-login.lvgig.co.uk/${tenant}/B2C_1A_RPSaveQA3/.well-known/openid-configuration
azure-issuer: https://sys-login.lvgig.co.uk/${tenant}/B2C_1A_RPSaveQA3/

spring:
  security:
    oauth2:
      client:
        provider:
          azure-ad-b2c:
            issuer-uri: ${azure-issuer}
            # other provider properties are auto-configured by Spring Security from the OpenID configuration

If the OpenID configuration cannot be fetched by appending .well-known/openid-configuration to the URI found as iss claim value in tokens, then your conf should look something like that:

tenant: change-me
# Double-check this values against what you actually get from .well-known/openid-configuration
azure-authorization-endpoint: https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize
azure-token-endpoint: https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token
azure-jwks-endpoint: https://login.microsoftonline.com/${tenant}/discovery/v2.0/keys

spring:
  security:
    oauth2:
      client:
        provider:
          azure-ad-b2c:
            jwk-set-uri: ${azure-jwks-endpoint}
            authorization-uri: ${azure-authorization-endpoint}
            token-uri: ${azure-token-endpoint}

[veganchamp]

Should be jwk-set-uri instead of jwk-set-endpoint I think, also, I'm seeing spring code below that is attempting to call the issuer-uri if one is set which defeats the point of defining our own uri's... unless I'm missing something? :
OAuth2ClientPropertiesMapper.getBuilderFromIssuerIfPossible

[veganchamp]

So removing issuer-uri works, I can see my custom endpoints being called, the authorization call is giving a 404, I presume because I need to add custom parameters like p: B2C_1A_RPSaveQA3... looking into that now using this thread: #197

[ch4mpy]

I thought that the when Spring cannot infer the OpenID configuration URI from the issuer-uri and other properties are present, it ignored the network errors and used the issuer-uri just for setting an iss claim validator in JWT decoder. My bad.

I removed issuer-uri from the answer above, fixed the typo on jwk-set-uri and removed the unnecessary user-info-uri.

Adding custom parameters to the authorization request is where spring-addons jumps in and the subject of the answer to your other question.

[veganchamp]

This is working now as expected, you have answered my question. Thanks @ch4mpy

[veganchamp]

Hi @ch4mpy, the iss in the claim returned from the token request is:
https://sys-login.lvgig.co.uk/TID/v2.0

Having looked on our Azure Portal at the "Azure AD B2C" set-up, this is the published endpoint:
https://sys-login.lvgig.co.uk/TID/v2.0/.well-known/openid-configuration?p=B2C_1A_RPSAVEQA3

I've found it needs the query string, the request fails without it so I'm guessing I need to extend your spring-addon's class to modify the issuer-uri to include this parameter? Note, the 'p' parameter ris dynamic based on the user context - there's ~5 options ..SAVE.. / ..RETRIEVE.. etc, they control templated content on the login page.

[ch4mpy]

I'm guessing I need to extend your spring-addon's class to modify the issuer-uri to include this parameter

No. As stated in the answer above, the issuer-uri must be exactly what you have in tokens as iss claim: issuer-uri: https://sys-login.lvgig.co.uk/TID/v2.0

there's ~5 options

If the values for other providers properties (jwk-set-endpoint, authorization-uri, token-uri and user-info-uri) are constant across the OpenID configurations you get with the different p values, defining one single provider is enough. You'll reference this unique Azure provider from your different Azure registrations. If other parameters are constant (at least for a given p value), then you might define a registration for each p: B2C_1A_RPxxxxQA3 to stick with "static" parameters.

If the other provider parameters change with your p parameter value, then you need a provider entry for each combination (same issuer-uri but different JWKS, authorization, token or user-info).

As a side note, all this is pure "official" boot configuration and spring-addons does nothing about it. If you want to change something about how providers auto-configuration is performed or tokens validation done, you'll have to open Spring Security source code, look how it is implemented there, and then find a way to change that.