page_type | languages | products | name | description | ||
---|---|---|---|---|---|---|
sample |
|
|
Developing REST API Application Developed by Spring Boot and Protected by Azure Active Directory B2C |
This sample demonstrates how to develop REST API application developed by Spring Boot and protected by Azure Active Directory B2C. |
Developing REST API Application Developed by Spring Boot and Protected by Azure Active Directory B2C
This sample illustrates how to use spring-cloud-azure-starter-active-directory-b2c
package to work in a resource server and validate tokens.
- Constructs trusted iss by configuring tenant id.
- Obtain the access token from the HTTP request header.
- Analyze access token to
iss
and constructJwtDecoder
byAadIssuerJWSKeySelector
. - Use
JwtDecoder
to parse the access token intoJwt
. - Verify
aud
,iss
,nbf
,exp
claims in access token.
- On the Azure AD B2C Portal, select the application that requires roles to be added, select Manifest.
- Find the
appRoles
configuration item, and add the following configuration, then click the Save button.
{
"allowedMemberTypes": [
"Application"
],
"description": "Task.read",
"displayName": "Task.read",
"id": "d2bec026-b75f-418d-9493-8462f54f25d9",
"isEnabled": true,
"value": "Test.read"
},
{
"allowedMemberTypes": [
"Application"
],
"description": "Task.write",
"displayName": "Task.write",
"id": "1ab4eeda-d07e-4bce-8f77-b0a84c97c34f",
"isEnabled": true,
"value": "Test.write"
}
- Find the application permissions need to use.
- Expose an api.
- Add the delegated permissions.
- Consent Application permissions.
- In the end, configuration is as follows.
# In v2.0 tokens, `aud` is always the client ID of the API, while in v1.0 tokens it can be the app id uri.
spring:
cloud:
azure:
active-directory:
b2c:
enabled: true
profile:
tenant-id: ${AZURE_TENANT_ID}
credential:
client-id: ${AZURE_CLIENT_ID} # If you are using v2.0 token, please configure client-id for `aud` verification
app-id-uri: ${APP_ID_URI} # If you are using v1.0 token, please configure app-id-uri for `aud` verification
base-uri: ${AZURE_AD_BASE_URI} # Such as: https://xxxxb2c.b2clogin.com
user-flows:
sign-up-or-sign-in: ${SIGN_UP_OR_SIGN_IN_USER_FLOW_NAME}
cd azure-spring-boot-samples/aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server
mvn spring-boot:run
- Write response.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8080/write -H "Authorization: Bearer <access_token>"
- Verify response:
Write success.
- Read response.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8080/read -H "Authorization: Bearer <access_token>"
- Verify response:
Read success.
- Log response.
- Get access-token:
curl -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<aad-b2c-web-app-client-id>&scope=<app-id-uri>/.default&client_secret=<aad-b2c-web-app-client-secret>' 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
- Access endpoint by access-token:
curl localhost:8080/log -H "Authorization: Bearer <access_token>" -I
- Verify response:
error:403.
-
WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: Read timed out",
While running sample, if error occurs with logs above:
azure-activedirectory-b2c:jwt-read-timeout
to set longer read time inapplication.yml
.
You can set isEnabled
to false
in the manifest's JSON configuration.Then delete or modify it.
Now that you have the Spring Boot application running locally, it's time to move it to production. Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. To deploy your application to Azure Spring Apps, see Deploy your first application to Azure Spring Apps.