This sample illustrates how to protect a Java web API by restricting access to its resources to authorized accounts only.
- Obtain the access token from the HTTP request header.
- Use
JwtDecoderto parse the access token intoJwt. - Verify
aud,iss,nbf,expclaims in access token. - Extract information from JWT in
AadOAuth2AuthenticatedPrincipalobject after a successful verification. - Save the
AADOAuth2AuthenticatedPrincipalinto SecurityContext.
-
In this section, you register your web API in App registrations in the Azure portal.
-
Search for and select your tenant in Microsoft Entra ID.
-
Under Manage In the same tenant, select App registrations -> New registration.
-
The registered application name is filled into
webapiB(For better distinguish between Resource Server and Resource Server Obo, this application is named webapiB), select Accounts in this organizational directory only, click the register button.
-
Under webapiB application, select Certificates & secrets -> new client secret, expires select Never, click the add button, remember to save the secrets here and use them later.
-
Under webapiB application, select API permissions -> Grant admin consent for ..., then choose Yes for save.
-
Under webapiB application, select Expose an API -> Add a scope, Use the default Application ID URI, click Save and continue button.
-
Wait the page refresh finished. Then set the Scope name to
WebApiB.ExampleScope.
-
Finally, the api exposed in
webapiB.
-
Expose an API by adding
appRoles, See Example: Application app role for more information about app roles setting.{ "allowedMemberTypes": [ "Application" ], "description": "WebApiB ClientCredential Example Scope", "displayName": "WebApiB ClientCredential Example Scope", "id": "d2bec026-b75f-418d-9493-8462f54f25d9", "isEnabled": true, "value": "WebApiB.ClientCredential.ExampleScope" }
See Expose scoped permission to web api for more information about web api.
# If we configure the spring.cloud.azure.active-directory.credential.client-id or spring.cloud.azure.active-directory.app-id-uri, then will check the audience.
# In v2.0 tokens, this is always the client ID of the API, while in v1.0 tokens it can be the client ID or the resource URI used in the request.
# If you are using v1.0 tokens, configure both to properly complete the audience validation.
spring:
cloud:
azure:
active-directory:
enabled: true
credential:
client-id: ${AZURE_CLIENT_ID}
app-id-uri: ${APP_ID_URI}# Under sdk/spring project root directory
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server
mvn spring-boot:runWe could use Postman to simulate a Web APP to send a request to a Web API.
- Web API B response successfully.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=<web-apiB-client-id>&scope=<app-id-uri>/Obo.WebApiB.ExampleScope&client_secret=<web-apiB-client-secret>&username=<username>&password=<password>' 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token'- Access endpoint by access-token:
curl localhost:8082/webapiB -H "Authorization: Bearer <access-token>"- Verify response:
Response from webApiB.
- Web API B response failed.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=<web-apiB-client-id>&scope=User.Read&client_secret=<web-apiB-client-secret>&username=<username>&password=<password>' 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token'- Access endpoint by access-token:
curl localhost:8082/user -H "Authorization: Bearer <access-token>" -I- Verify response:
error:401