Accessing Microsoft Graph API in Vaadin 23 + Spring Security + Azure AD

Question

I'm developing an enterprise Vaadin application and I'd like to know if anyone has figured out how I can obtain the JWT token to make (from backend) a request to GraphAPI to fetch additional user details.

My Security Configuration looks like this. What I achieve with this configuration is a SSO experience. Just entering the site, the user is redirected to MS Authentication portal and redirected back when authenticated.

@Configuration
public class SecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {

    private final OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

    public SecurityConfiguration(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) {
        this.oidcUserService = oidcUserService;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.oauth2Login().userInfoEndpoint().oidcUserService(oidcUserService);
    }
}

On application.properties I have the following settings:

azure.activedirectory.tenant-id=my_tenant_id
azure.activedirectory.client-id=my_client_id
azure.activedirectory.client-secret=my_secret_key
azure.activedirectory.redirect-uri-template=http://localhost:8080/login/oauth2/code/

and on pom.xml

<dependencyManagement>
...
    <dependency>
        <groupId>com.azure.spring</groupId>
        <artifactId>azure-spring-boot-bom</artifactId>
        <version>${azure.version}</version>
        <type>pom</type>
        <scope>import</scope>
    </dependency>
...
</dependencyManagement>
    <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
    <dependency>
        <groupId>com.azure.spring</groupId>
        <artifactId>azure-spring-boot-starter-active-directory</artifactId>
    </dependency>
    <dependency>
        <groupId>com.azure.spring</groupId>
        <artifactId>azure-spring-boot-starter-active-directory</artifactId>
    </dependency>
...

From a Rest Endpoint, it's well documented how I should be able to retrieve the token and make a call.

@GetMapping("/graph")
@ResponseBody
public String graph(
    @RegisteredOAuth2AuthorizedClient("graph") OAuth2AuthorizedClient graphClient
) {
    // toJsonString() is just a demo.
    // oAuth2AuthorizedClient contains access_token. We can use this access_token to access the resource server.
    return toJsonString(graphClient);
}

Also, on AAD for this application I've setup the API roles User.Read and Calendars.ReadWrite that allows accessing graph API.

Questions:

• I'm missing something on the application.properties to configure the permissions.
• I have no idea of what bean I need to @Autowire to access the token from the user-specific context in Vaadin scope.

Remarks:

• I'm using 'normal' authentication and the application is for the same company that has the O365 account. It's not multi-tenant or B2C.

Answer 1

Need some more clarification about the login, if the login is completely handled by the MS Authentication portal ?.

I think you can add some more filtration on you WebSecurityConfiguration class to permit login with other IP

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .addFilter(accessTokenProcessingFilter())
            .authenticationProvider(preAuthenticatedAuthenticationProvider())
            .exceptionHandling().and()
            .headers().and()
            .sessionManagement().sessionCreationPolicy(STATELESS).and()
            .securityContext().and()
            .anonymous().and()
            .authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()

...