Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
214 questions
How to integrate spring security with Azure OAuth2.0 endpoint ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 43%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Raghavan
0
Reputation points
We are trying to use spring-boot-oauth-resource-server approach to enable authentication and authorization against Azure OAuth. We have registered a client app and create the client secret, scope api endpoints etc. We are also able to generate a token using the OAuth token endpoint - https://login.microsoftonline.com/******/oauth2/v2.0/token
However, when we try to access the endpoint for token verification via the spring boot app, the token validation happens against https://sts.windows.net while the certificate for the endpoint (login.microsoftonline.com) has no SubjectAlternateList for the sts.* or *windows.net and hence fails
Appreciate any pointers or recommendations to resolve the same.
Note: The same spring boot app has been tested with keycloak server as AuthorizationServer and works fine. Problem is while integrate with Azure Authorization endpoint.
{count} votes
-
Raghavan 0 Reputation points
2024-07-06T03:20:56.0933333+00:00 Details
Error spring boot app that acts as resource server hosting REST APIs
Caused by: java.lang.IllegalStateException: The Issuer "https://sts.windows.net/***/" provided in the configuration did not match the requested issuer "https://login.microsoftonline.com/***" at org.springframework.util.Assert.state(Assert.java:97) ~[spring-core-6.1.10.jar:6.1.10] at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.validateIssuer(JwtDecoderProviderConfigurationUtils.java:99) ~[spring-security-oauth2-jose-6.3.1.jar:6.3.1]Spring Boot configuration
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/*** spring.security.oauth2.resourceserver.jwt.audiences=api://*******/Files.ReadCertificate SubjectAlternateNames
DNS Name: portal.office.com DNS Name: portal.microsoftonline.com DNS Name: portalprv.microsoftonline.com DNS Name: ncuportalprv.office.com DNS Name: office.com DNS Name: portal.microsoft.com DNS Name: home.office.com DNS Name: portal-sdf.office.com DNS Name: prod.msocdn.com DNS Name: www.office.com DNS Name: *.portal.office.com DNS Name: *.www.office.com DNS Name: admin.microsoft.com DNS Name: admin.microsoft365.com DNS Name: www.microsoft365.com DNS Name: ntp.www.office.com DNS Name: fluid.office.com DNS Name: microsoft365.com DNS Name: word.office.com DNS Name: excel.office.com DNS Name: powerpoint.office.com DNS Name: visio.office.com DNS Name: apps.office.com DNS Name: stream.office.com DNS Name: portal.office365.com DNS Name: m365.go.microsoft DNS Name: m365.cloud.microsoft DNS Name: helpdeskbusinessassist.microsoft.com DNS Name: admin.cloud.microsoft DNS Name: config.centro.core.microsoftJwt Token decoded
{ "aud": "api://***", "iss": "https://sts.windows.net/***/", "iat": 1720205341, "nbf": 1720205341, "exp": 1720210557, "acr": "1", ... "scp": "Files.Read", "ver": "1.0" } -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
JananiRamesh-MSFT 23,336 Reputation points2024-07-10T07:24:31.6666667+00:00 @Raghavan Thanks for reaching out. It’s possible that your client application is getting a v1 token even when sending the request to the v2 endpoint. This could be due to the configuration of your application in Azure.
The version of the access tokens is determined by the accessTokenAcceptedVersion in the manifest of your application/API. If accessTokenAcceptedVersion is set to null or 1, then all client applications requesting access tokens to call this resource will get a v1 access token.
To get a v2.0 token, you need to change the accessTokenAcceptedVersion to 2 in your application’s manifest. After making this change, try generating the token again.
Hope this helps! Do let me know incase of further queries, I would be happy to assist you.
Sign in to comment