1

I am trying run azure active directory for my spring boot with web services. The problem is when I login successfully, It throws an error which is:

enter image description here

I have added following properties (tetant-id, client-id, client-secret, user-group.allowed-group-names) with

azure.activedirectory.redirect-uri-template=http://localhost:8080/login/oauth2/code/

and my configuration is:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class AADSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(WebSecurity web) {
    web.ignoring().antMatchers("/health");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/oauth2/**", "/login/**")
        .permitAll()
        .anyRequest()
        .authenticated()
        .and()
        .oauth2Login();
  }
}

simple controller request is:

 @GetMapping("/list")
  @PreAuthorize("hasRole('Admin') or hasRole('Users')")
  public String getListPage() {
    return "list";
  }

versions of the dependencies are:

<spring.security.version>5.6.0</spring.security.version>
<spring.boot.version>2.5.4</spring.boot.version>
<azure.version>3.10.0</azure.version>

  <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-client</artifactId>
        <version>${spring.boot.version}</version>
    </dependency>

    <dependency>
        <groupId>com.azure.spring</groupId>
        <artifactId>azure-spring-boot-starter-active-directory</artifactId>
        <version>${azure.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-jose</artifactId>
        <version>5.6.0</version>
    </dependency>

Could you enlighten me with the issue so that I could get around please?

Update: solved using msal4j.

the sample example is:

https://github.com/Azure-Samples/ms-identity-java-webapp/tree/master/msal-java-webapp-sample

volkangurbuz
  • 259
  • 1
  • 4
  • 14
  • 2
    Hi @volkangurbuz, check with the token Use https://jwt.io to verify the claims: 1)Ensure you've selected the correct signing algorithm (RS256) 2)Check with the **kid** claim indicates the particular public key that was used to validate the token. Ensure you're checking against the key with which the token was signed .3)Verify the **scp** claim to validate that the user has granted the calling app permission to call your API.4)check with the **aud (audience)** : this Identifies the intended recipient of the token – ShrutiJoshi-MT Dec 11 '21 at 12:12
  • And also refer this thread :https://stackoverflow.com/questions/56638408/an-error-occurred-while-attempting-to-decode-the-jwt-signed-jwt-rejected-anoth – ShrutiJoshi-MT Dec 11 '21 at 12:13
  • is your issue resolved? – ShrutiJoshi-MT Dec 13 '21 at 03:35

1 Answers1

0

Check with the token and Use https://jwt.io to verify the claims:

1) Ensure you've selected the correct signing algorithm (RS256) The header of the JWT contains information about the key and encryption method used to sign the token:

Example:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk",
  "kid": "iBjL1Rcqzhiy4fpxIxdZqohM2Yk"
}

2) Check with the kid claim indicates the particular public key that was used to validate the token. Ensure you're checking against the key with which the token was signed .

3) Verify the scp claim to validate that the user has granted the calling app permission to call your API.

4) check with the aud (audience) : this Identifies the intended recipient of the token - its audience. Your API must validate this value and reject the token if the value doesn't match. In v2.0 tokens, this is always the client ID of the API, while in v1.0 tokens it can be the client ID or the resource URI used in the request, depending on how the client requested the token.

5) the roles and wids claims to validate that the user themselves has authorization to call your API. For example, an admin may have permission to write to your API, but not a normal user.

For more details refer these documents

  1. An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
  2. Microsoft identity platform access tokens - Microsoft identity platform | Microsoft Docs
ShrutiJoshi-MT
  • 1,622
  • 1
  • 4
  • 9
  • Hello ShrutiJoshi-MT, many thanks for the response. As suggested I have checked algorithms however i couldn't progress further still. I do not use any algorithm on my application. I just have sample codes above. May I kindly ask if you could provide me relevant docs and maybe some code snippets covering the area where I can? – volkangurbuz Dec 13 '21 at 19:30
  • Here are some documents may helps you :1) https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory 2) https://medium.com/xebia-engineering/authentication-and-authorization-using-azure-active-directory-266980586ab8 3)https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/spring-boot-starter-for-azure-active-directory-developer-guide . also check with claims in the token as mentioned above – ShrutiJoshi-MT Dec 14 '21 at 12:26