Skip to content

Latest commit

 

History

History

aad-b2c-resource-server

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
docs
docs
 
 
src/main
src/main
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

README.md

page_type languages products name description
sample
java
azure-active-directory-b2c
Developing REST API Application Developed by Spring Boot and Protected by Azure Active Directory B2C
This sample demonstrates how to develop REST API application developed by Spring Boot and protected by Azure Active Directory B2C.

Developing REST API Application Developed by Spring Boot and Protected by Azure Active Directory B2C

Key concepts

This sample illustrates how to use spring-cloud-azure-starter-active-directory-b2c package to work in a resource server and validate tokens.

  1. Constructs trusted iss by configuring tenant id.
  2. Obtain the access token from the HTTP request header.
  3. Analyze access token to iss and construct JwtDecoder by AadIssuerJWSKeySelector.
  4. Use JwtDecoder to parse the access token into Jwt.
  5. Verify aud, iss, nbf, exp claims in access token.

Getting started

Create and consent Application and Delegated permissions

  1. On the Azure Active Directory B2C Portal, select the application that requires roles to be added, select Manifest.
  2. Find the appRoles configuration item, and add the following configuration, then click the Save button.
  {
    "allowedMemberTypes": [
      "Application"
    ],
    "description": "Task.read",
    "displayName": "Task.read",
    "id": "d2bec026-b75f-418d-9493-8462f54f25d9",
    "isEnabled": true, 
    "value": "Test.read"
  },
  {
    "allowedMemberTypes": [
      "Application"
    ],
    "description": "Task.write",
    "displayName": "Task.write",
    "id": "1ab4eeda-d07e-4bce-8f77-b0a84c97c34f",
    "isEnabled": true,
    "value": "Test.write"
  }

Configuration Application Roles

  1. Find the application permissions need to use.

Selected Application Add Application Roles

  1. Expose an api.

Expose an api.

  1. Add the delegated permissions.

Add Delegated permissions

  1. Consent Application permissions.

Consent Application permissions

  1. In the end, configuration is as follows.

Final Configuration

Create User Flow

  1. Add user flow on the portal. Add user flow

  2. Select a user flow type. Select a user flow type

  3. Setting Relevant Content. Setting Relevant Content.

  4. Finally, configuration is as follows. Finally

Examples

Configure the sample

application.yml

# In v2.0 tokens, `aud` is always the client ID of the API, while in v1.0 tokens it can be the app id uri.
spring:
  cloud:
    azure:
      active-directory:
        b2c:
          enabled: true
          profile:
            tenant-id: ${AZURE_TENANT_ID}
          credential:
            client-id: ${AZURE_CLIENT_ID}           # If you are using v2.0 token, please configure client-id for `aud` verification
          app-id-uri: ${APP_ID_URI}         # If you are using v1.0 token, please configure app-id-uri for `aud` verification
          base-uri: ${AZURE_AD_BASE_URI}             # Such as: https://xxxxb2c.b2clogin.com
          user-flows:
            sign-up-or-sign-in: ${SIGN_UP_OR_SIGN_IN_USER_FLOW_NAME}

Run with Maven

cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server
mvn spring-boot:run

Access the Web API

  • Write response.
  1. Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
  1. Access endpoint by access-token:
curl localhost:8080/write -H "Authorization: Bearer <access_token>"
  1. Verify response:
Write success.
  • Read response.
  1. Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
  1. Access endpoint by access-token:
curl localhost:8080/read -H "Authorization: Bearer <access_token>"
  1. Verify response:
Read success.
  • Log response.
  1. Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
  1. Access endpoint by access-token:
curl localhost:8080/log -H "Authorization: Bearer <access_token>" -I
  1. Verify response:
error:403.

Troubleshooting

  • WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: Read timed out",

    While running sample, if error occurs with logs above:

    • azure-activedirectory-b2c:jwt-read-timeout to set longer read time in application.yml.

FAQ

How do I delete or modify Application Permissions in Portal?

You can set isEnabled to false in the manifest's JSON configuration.Then delete or modify it.

Deploy to Azure Spring Apps

Now that you have the Spring Boot application running locally, it's time to move it to production. Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. To deploy your application to Azure Spring Apps, see Deploy your first application to Azure Spring Apps.

Next steps

Contributing