'Spring boot authorization issue with fetching roles from Azure AD auth server

As per this we implemented Spring boot auth with Azure AD: https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html

Here the access token validation works fine but not showing any authorities:

SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();        
Collection<? extends GrantedAuthority> authoritiesFromToken = authentication.getAuthorities();              
System.out.println("authoritiesFromToken:  " + authoritiesFromToken);

The following dependencies are used:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

Added app roles in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Used Postman to get the Azure AD token with client credentials: https://docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token

After this run the application but the app roles set to the application is not printed.

What we need to do to get the roles as well?

spring-bootazure-active-directoryopenid-connect


Solution 1:[1]

  • Sometimes token is an access token may not be for your app. The roles you are looking for can be present in the id token.
  • Please make sure to check both id token and access token in authentication blade or try by checking both individually.

enter image description here

  • As you were not able to access the roles in your token. Please check if you were not assigning a resource in request parameters along with (client_id, grant_type, etc.) . By default the resource maybe something like 00000002-0000-0000-c000-000000000000. Also try by sending responseType =token in the request.

Please check this Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory (aaddevsup.xyz)

Add the following dependencies to your pom.xml file.

<dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
   // <version>4.0.0</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

According to note here in Add app roles and get them from a token - Microsoft identity platform | Microsoft Docs

Note: Currently if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles claim to tokens it issues. Azure AD emits a roles claim for each role that the user or service principal has been granted individually to the user and the user's group memberships.

The roles could also be added directly in the manifest json file.

"appRoles": [
{
    "allowedMemberTypes": [
        "User , Applications"
    ],
    "description": " ",
    "displayName": " ",
    "id": "<Guid> ",
    "isEnabled": true,
    "lang": null,
    "origin": "<> ",
    "value": "  "
},
]

If you're implementing app role business logic in an app-calling-API scenario, you have two app registrations. One app registration is for the app, and a second app registration is for the API. In this case, define the app roles and assign them to the user or group in the app registration of the API. When the user authenticates with the app and requests an access token to call the API, a roles claim is included in the access token. Your next step is to add code to your web API to check for those roles when the API is called.

Check the user.read is for graph api and to get token for api for your app should have the scope exposed for api.and granted api permissions for admin consent.

To learn how to add authorization to your web API, see Protected web API: Verify scopes and app roles.

Reference : Spring Boot Starter for Azure Active Directory developer's guide | Microsoft Docs

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 kavyasaraboju-MT

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

What is the best approach to logout from keycloak after authentication via pkce?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code

What are the default Lifetime values for openiddict tokens

Web API with Microsoft Identity Platform Authentication

RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC

Blazor WebAssembly Hosted on IIS - only API is working

OpenIdConnectProtocolValidator - nonce error

Logout from Keycloak does not logout Active Directory User

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

How to configure Keycloak to work with Guacamole's OpenID plugin?

Web App SPA & OIDC: How to properly authenticate before accessing the front?

Null Reference Exception when calling GraphServiceClient from a .net core Razor application that uses OpenIdConnect