Setup Azure Client Credential Flow with Spring

Question

I'm trying to setup client credential flow with a Spring app access a web api (both owned by myself). I've attempted to follow the Azure documentation Microsoft identity platform and the OAuth 2.0 client credentials flow and Quickstart: Configure a client application to access a web API but I'm running into a few problems because the documentation is not clear. Somewhere in my setup, Azure is forcing the user to sign-in, and then other error messages sprout from there. As we know, however, client credential should be machine to machine authorization so I'm not sure why this sign-in flow is happening.

Below is my setup. Any feedback would be helpful getting me up running.

Environment

OS: Ubuntu 20.10
IDE: Visual Studio Code
Library/Libraries:
com.azure.spring:azure-spring-boot-starter-active-directory:3.5.0
org.springframework.boot:spring-boot-starter-oauth2-client

application.yml

 azure:
  activedirectory:
    tenant-id: {my-web-app-tenant-id}
    client-id: {my-web-app-client-id}
    client-secret: {my-web-app-client-secret}
    authorization-clients:
     web-api:
       scopes:
         - api://example-api/Employees.Read.All
         - api://example-api/Employees.Write.All

Azure Configuration

If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). This can be beneficial to other community members. Thank you. :) — Carl Zhao, Jun 30 '21 at 07:38

score 3 · Answer 1 · answered Jun 30 '21 at 07:37

3

You should currently be performing server-to-server interaction, that is, no user involvement. So your server application needs to create an appRole, and then grant the app Role as an application permission to the client application.

First, you need to expose the api of the server application protected by Azure, which can be configured according to the following process:

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

Then you need to create the appRole of the server application, and then grant that role as an application permission to the client application.

Next, go to client application>API permissions>Add a permission>My APIs>your api application.

Finally, you need to obtain an access token using the client credential flow where no user is logged in:

Parse the token：

answered Jun 30 '21 at 07:37

Carl Zhao

8,543
2
11
19

Hey @CarlZhao, that was definitely helpful. I was able to get a token successfully with your steps above using Postman. The part that was missing was creating an App Role. Thanks for the clarification. Unfortunately, I'm still receiving the same sign-in flow issue, and I think this is based on my Spring configuration. I've changed the scope to ./default, but same issue. Any feedback on that side? – Billy Bolton Jun 30 '21 at 18:27
Very useful post, thanks! I really don't understand why Azure requires Admin privileges to grant the client roles for the exposed API (final step of your third screenshot) given it's not enough to be the owner of the called application. – spekdrum Apr 27 '22 at 12:19

chenrujun · Answer 2 · 2021-07-30T08:46:44.990

@BillyBolton.

There are several types of your application when using azure-spring-boot-starter-active-directory:

When your application is web application, sign-in flow will appear.
When your application is resource server, no sign-in flow will appear.

Related docs:

Related samples:

https://github.com/Azure-Samples/azure-spring-boot-samples/tree/azure-spring-boot_3.6/aad

Setup Azure Client Credential Flow with Spring

2 Answers2

Linked