'Accessing Microsoft Graph API in Vaadin 23 + Spring Security + Azure AD
I'm developing an enterprise Vaadin application and I'd like to know if anyone has figured out how I can obtain the JWT token to make (from backend) a request to GraphAPI to fetch additional user details.
My Security Configuration looks like this. What I achieve with this configuration is a SSO experience. Just entering the site, the user is redirected to MS Authentication portal and redirected back when authenticated.
@Configuration
public class SecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {
private final OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
public SecurityConfiguration(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) {
this.oidcUserService = oidcUserService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.oauth2Login().userInfoEndpoint().oidcUserService(oidcUserService);
}
}
On application.properties I have the following settings:
azure.activedirectory.tenant-id=my_tenant_id
azure.activedirectory.client-id=my_client_id
azure.activedirectory.client-secret=my_secret_key
azure.activedirectory.redirect-uri-template=http://localhost:8080/login/oauth2/code/
and on pom.xml
<dependencyManagement>
...
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencyManagement>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
...
From a Rest Endpoint, it's well documented how I should be able to retrieve the token and make a call.
@GetMapping("/graph")
@ResponseBody
public String graph(
@RegisteredOAuth2AuthorizedClient("graph") OAuth2AuthorizedClient graphClient
) {
// toJsonString() is just a demo.
// oAuth2AuthorizedClient contains access_token. We can use this access_token to access the resource server.
return toJsonString(graphClient);
}
Also, on AAD for this application I've setup the API roles User.Read
and Calendars.ReadWrite
that allows accessing graph API.
Questions:
- I'm missing something on the application.properties to configure the permissions.
- I have no idea of what bean I need to
@Autowire
to access the token from the user-specific context in Vaadin scope.
Remarks:
- I'm using 'normal' authentication and the application is for the same company that has the O365 account. It's not multi-tenant or B2C.
Solution 1:[1]
Need some more clarification about the login, if the login is completely handled by the MS Authentication portal ?.
I think you can add some more filtration on you WebSecurityConfiguration class to permit login with other IP
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(accessTokenProcessingFilter())
.authenticationProvider(preAuthenticatedAuthenticationProvider())
.exceptionHandling().and()
.headers().and()
.sessionManagement().sessionCreationPolicy(STATELESS).and()
.securityContext().and()
.anonymous().and()
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
...
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | jerald jacob |