This sample illustrates how to use spring-cloud-azure-starter-active-directory-b2c
package to work in a resource server and validate tokens.
- Constructs trusted iss by configuring tenant id.
- Obtain the access token from the HTTP request header.
- Analyze access token to
iss
and constructJwtDecoder
byAadIssuerJWSKeySelector
. - Use
JwtDecoder
to parse the access token intoJwt
. - Verify
aud
,iss
,nbf
,exp
claims in access token.
- On the Azure AD B2C Portal, select the application that requires roles to be added, select Manifest.
- Find the
appRoles
configuration item, and add the following configuration, then click the Save button.
{
"allowedMemberTypes": [
"Application"
],
"description": "Task.read",
"displayName": "Task.read",
"id": "d2bec026-b75f-418d-9493-8462f54f25d9",
"isEnabled": true,
"value": "Test.read"
},
{
"allowedMemberTypes": [
"Application"
],
"description": "Task.write",
"displayName": "Task.write",
"id": "1ab4eeda-d07e-4bce-8f77-b0a84c97c34f",
"isEnabled": true,
"value": "Test.write"
}
- Find the application permissions need to use.
- Expose an api.
- Add the delegated permissions.
- Consent Application permissions.
- In the end, configuration is as follows.
# In v2.0 tokens, `aud` is always the client ID of the API, while in v1.0 tokens it can be the app id uri.
spring:
cloud:
azure:
active-directory:
b2c:
enabled: true
tenant-id: ${AZURE_TENANT_ID}
app-id-uri: ${APP_ID_URI} # If you are using v1.0 token, please configure app-id-uri for `aud` verification
client-id: ${AZURE_CLIENT_ID} # If you are using v2.0 token, please configure client-id for `aud` verification
base-uri: ${AZURE_AD_BASE_URI} # Such as: https://xxxxb2c.b2clogin.com
user-flows:
sign-up-or-sign-in: ${SIGN_UP_OR_SIGN_IN_USER_FLOW_NAME}
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server
mvn spring-boot:run
- Write response.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8080/write -H "Authorization: Bearer <access_token>"
- Verify response:
Write success.
- Read response.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8080/read -H "Authorization: Bearer <access_token>"
- Verify response:
Read success.
- Log response.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8080/log -H "Authorization: Bearer <access_token> -I"
- Verify response:
error:403.
-
WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: Read timed out",
While running sample, if error occurs with logs above:
azure-activedirectory-b2c:jwt-read-timeout
to set longer read time inapplication.yml
.
You can set isEnabled
to false
in the manifest's JSON configuration.Then delete or modify it.