0

I have a Spring Boot App with AzureAD Authentication. This App generates a Username and Password for another page which can't have SSO (only htaccess). When I generate the Credentials for an authenticated user I want to recheck every 24 hours if the user is still enabled in the Active Directory. If the User is disabled, I will delete the generated Credentials, so they can't be used anymore by the user.

My question is: How can I check if a user by its unique Email is enabled/disabled in AAD from the backend site without the user beeing currently authenticated?

When the user is authenticated I use this to access the information for the current user:

public String getLdapUserEmail() {
    Map<String , Object> userDetails = ((DefaultOidcUser)SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getAttributes();
    return userDetails.get("preferred_username").toString();
}

But in this case I want to check all users I have given credentials to every 24 hours if they are still enabled in AAD, so I have to use something else than the SecurityContext Holder - but I don't know what.

In my pom I have following dependencies for the AAD and in the application.properties the tenant-id/client-id/client-secret are set up.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>azure-spring-boot-starter-active-directory</artifactId>
    <version>3.14.0</version>
</dependency>
p0w3rs
  • 3
  • 4

1 Answers1

0

Please check:

After getting the current user try storing in some variable User.

  • Please check if getActive() function can be used to check if user is enabled or disabled when user is loggedin .

    public int getActive() { return active; }

Snippet from java - Spring user account enabled/disabled - Stack Overflow

  boolean enabled = User.getActive(); // checking here if enabled
boolean accountNonExpired = true;  
 ...

return new User(
 User.getLogin(),
    User.getPassword(),
    enabled,
    accountNonExpired, 
  ...
);

• To check if user is enabled or disabled when not authenticated, please see if you can try to save the login details to the database to confirm the account and checking the above way to see the user status.

But please make sure to have admin role or privilege for accessing user info.

Or by using Microsoft graph api : DelegateGraphApiProperties.graph-api-spring-boot-starter · GitHub

public void setEmail(String email) {
        this.email = email;
    }
    public String getPassword() {
        return password;
    }

And by using saveUser() method to save details for later checking.

References:

  1. java - Spring Azure AD - Get user's ADDRESS after authentication - Stack Overflow
  2. java - Issue about spring boot rest api and javascript ajax call communication - Stack Overflow
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • 1
    Thank you! I am now using the Microsoft graph api which is doing exactly what I wanted. https://developer.microsoft.com/en-us/graph/graph-explorer with following query I got the result: https://graph.microsoft.com/v1.0/users/{id}?$select=accountEnabled [link](https://stackoverflow.com/questions/71057550/java-ms-graph-sdk-get-graphclient-using-an-existing-accesstoken-5-13-0-version) – p0w3rs Aug 26 '22 at 13:07