Spring Cloud Data Flow and Azure AD

Devang Bagora 0 Reputation points
2024-09-07T03:32:20.37+00:00

I am trying to implement role based access control in SCDF ( Spring Cloud Data Flow ) using Azure AD, SSO is working with client secrets but I need to authenticate using a certificate. What is the correct way to do that. I have tried following way but no success:-

security:

oauth2:

  client:

    registration:

      dataflow-server:

        provider: azure

        redirect-uri: http://localhost:9393/login/oauth2/code/scdfdemo

        client-id: abcd1234

        client-certificate-path: /abcd/certificate.pem

I followed ref: https://docs.spring.io/spring-cloud-dataflow/docs/current/reference/htmlsingle/#appendix-identity-provider-azure

Please help.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,069 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 24,926 Reputation points Microsoft Employee
    2024-09-13T21:39:36.1566667+00:00

    Hi @Devang Bagora

    You're trying to specify the client certificate path using the "client-certificate-path" property but this property is not supported by Spring Security OAuth2. Instead you need to configure the SSL context to use the client certificate:

    security:
  oauth2:
    client:
      registration:
        dataflow-server:
          provider: azure
          redirect-uri: http://localhost:9393/login/oauth2/code/scdfdemo
          client-id: abcd1234
      provider:
        azure:
          token-uri: https://login.microsoftonline.com/{tenant-id}/oauth2/token
          authorization-uri: https://login.microsoftonline.com/{tenant-id}/oauth2/authorize
          user-info-uri: https://graph.microsoft.com/v1.0/me
          jwk-set-uri: https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys
          client-name: Azure AD
          client-id: abcd1234
          client-authentication-method: post
          scope: openid, profile, email
          ssl:
            key-store: /path/to/keystore.p12
            key-store-password: keystore-password
            key-store-type: PKCS12
            key-alias: client-certificate-alias
            key-password: client-certificate-password

    You need to specify the path to the keystore that contains the client certificate using the "key-store" property. You also need to specify the keystore password using the "key-store-password" property, the keystore type using the "key-store-type" property, the alias of the client certificate using the "key-alias" property, and the password for the client certificate using the "key-password" property.

    Make sure to replace the placeholders ({tenant-id}, /path/to/keystore.p12, client-certificate-alias, and client-certificate-password) with the actual values for your environment.

    Please let me know if you have any questions and I can help you further. If this answer helps you please mark "Accept Answer" so other users can reference it. Thank you, James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.