How to integrate Java Spring Boot application with AzureAD using OIDC?
Вставка
- Опубліковано 7 вер 2024
- This video explains how to integrate a Java Spring Boot application with AzureAD using OpenID Connect (OIDC) protocol.
AzureAD | OpenID Connect | Java Spring Boot
#identity #iam #security #sso #aws #amazonwebservices #oidc #idtoken #azureactivedirectory #spring #springboot #openidconnect #java #javaprogramming #javasecurity #springsecurity #azure #azuread #azureactivedirectory
Please subscribe to this channel for regular updates ua-cam.com/channels/EEayyyCrJO94FYlzF0NLTg.html
Thank You for the support.
Clear explanation, thanks. One question- the same workflow if i use SAML SSO token with AzureAD ?
No, these steps will work only for OIDC. For SAML, different libraries are used and I am still looking into that.
@@securityinaction1018 i'm trying to intercept the requestResponse from the idp to sp but the object is always null
I have not tried customizing that behavior. Which request's response are you trying to intercept?
Very neat explanation. Thank you. One question - If I have a rest api in springboot, how do I securely expose it to other application which has got its own auth implemented?
If you are hosting the rest API, the best practice is to maintain your own Authorization server which can return tokens for the other applications. Those app can then use these tokens to call your APIs. For ex: All Google APIs are secured using tokens generated by Google IdP, similarly a Facebook API is secured using the tokens generated using Facebook IdP.
If you still want to use the apps authorization server, you can still do that by validating the tokens against apps authorization server
Could you please provide git link for this oauth2 authentication implementation ?
I will check and upload the code in Git if it is still available. Meanwhile, if you face any issues in setting up the workspace and code from scratch, please post your questions here.
Please like, subscribe & share!! Thanks in advance.
I have a query, In Azure ad we are able to get the access_token from OAouth2AuthorizedClient object in my spring boot application, if the user is using my application continuously in that case we have to increase the access token time limit accordingly right, so how to implement this could you please provide info 🙂
I know we can get new token using refresh_token but I want to get a new token without refresh token
Is there any reason why you don't want to refresh the tokens? The best practice is to refresh the token periodically. I don't know if AzureAd has an option to increase the timeout for Access token. I know Cognito has that option.
Sorry, actually in the msal4j library, the acquire token silently method is there, that's why I asked you , but just now I realised that we can refresh access token using refresh token.
Could you please provide reference how to implement this in spring cloud gateway ?
Very neat explanation thank you .I want to implement this only for specific end point in controllers and when i click on other end point dont want to redirect to authentication login .please help on this.
In order to bypass a specific endpoint, you can create the OAuth2LoginSecurityConfig class as mentioned here docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-provide-securityfilterchain-bean.
For ex: if you want to bypass /user endpoint
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/user").permitAll()
.anyRequest().authenticated()
)
.oauth2Login(withDefaults());
Please subscribe, like & share to support this channel. Thanks in advance.
Nice video! Could you please also provide an example to use refresh token (using offline_access scope) as access_token/id token lifetime is very short 1 hour?
I think SpringBoot will take care of refreshing the access token automatically. You can set the offline_access scope in application.yml file and give it a try.
Please subscribe and support this channel. Thanks in advance.
@@securityinaction1018Thanks for the prompt response. I already tried scope=openid%20email%20profile%20offline_access. But after the token expires after one hour, it again redirects to authorize endpoint to get the code. whereas I want it to get the new access token from refresh token subsequently.
Ok, this documentation docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#_refreshing_an_access_token has some details. But, it is not very clear. When I get a chance, I will do some research on this topic and post a video.
🎉Hi I really like the way you explain. Thanks for that, one doubt !
Can you please let us know how to fetch access_token, refresh_token, id_token, expires_in details etc when the user is authorised ?
Thank you!!
I was planning to post a video on that and it is still pending from my side. I will post and let you know.
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 thank you for your quick reply, when we can expect the video, I need to implement it in my spring boot 3 app. Thanks in advance.
I will try my best to post it in near future.
Excellent video!
My web app has mobile apps as well. It has it's own REST API to login and JWT. How do I allow SSO Azure AD users also to login? Is it presenting 2 login option?
Yes. If you have your own login page, you can add a button to sign-in with AzureAD
Hi , I have a multi tenant application, where each tenat could be owning their own AzureAD. How can I achieve same setup but with multiple Azure ADs with single backend.
I have not done any POC. But, you can try this option docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-register-clientregistrationrepository-bean
Instead of configuring the OAuth2 client in application.yml, you can dynamically register.
dude your mic volume is so low. Even if I try headphones on. its so low. Please take care from next time
Sure. Thank you for the feedback.
I want to integrate SSO using azure ad in my existing java web application.. can i follow this step it will work ?
Yes, if your Java web app uses SpringBoot framework. If not, I am sure there should be some library to integrate using OIDC.
@@securityinaction1018 my project is based on simple Java and jsp. It uses servlets and struts. I don't know how to use azure ad to implement SSO if you can help me with this it would be great
With simple JSP / Servlets, you have to write all the logic to redirect, call token endpoints. You can take a look at this sample github.com/auth0-samples/auth0-servlet-sample from Auth0. But, it is just a reference code. You need to modify it accordingly for AzureAD integration.
@@securityinaction1018 thanks for your reply !
I have an enterprise application. And I'm trying to use spring boot for the authentication part. And this project don't have any pom and dependencies so I'm adding jars for each changes.
1.Now I have created one application.java class which contains main method.
2.And I have created login controller class for user authentication.
3.i have created application.initializer class .
4. In application.properties class I have added azure ad redirecting codes(tenant I'd, clients secret keys. Etc.)
But it is not working and redirecting I don't know what to do..🥲. And the deadline is near for me to complete this task.
-can u suggest me something for the same
It's very difficult to build apps without pom. In any case, as long as all the dependent jars are available in the classpath, you should be able to build the app using the instructions in my video.
can u provide github code for this?
I uploaded the sample code to github.com/secinaction101/springbootaad/tree/main/demo
Why do not you implement sign out also??
Sign out depends on the requirements. If you want only the app session to be killed, I am sure SpringBoot offers out of the box solution to do that. If the IdP session also needs to be killed, it depends on what options IdP offers.
How to logout Azure ad SSO session ? Not clearing browser cookies.
How to get rid of the page at 22:09? It's ugly and completely unnecessary.
You can customize the login page as per Spring docs. I have not tried that.
Sir how to do the same with spring mvc
I have not tried this with Spring MVC. I see some stackoverflow solutions which might work.
Can you share those solutions also I need a example in legacy spring application. Not boot!@@securityinaction1018