Search code examples
azurespring-bootspring-securityoauth-2.0azure-active-directory

Azure AD, Angular Spa and Spring Microservice Integration

We are using Azure AD for authentication and authorization. Our angular spa has been enabled SSO with Azure AD. We need to secure our backend service and only allow API which has a valid jwt token.

What we have done so far is:

  1. Registered our angular app in Azure AD.

  2. We have configured spring microservice as a resource server and application properties contain jwt.issuer-uri

    spring.security.oauth2.resourceserver.jwt.issuer-uri=XXXXXXXXXXX-XXXXXXXXX-XXXXXXX-XXXXXXXXXXX

The issue is the token that we get from Azure AD is having an audience as "00000003-0000-0000-c000-000000000000" which means the token is generated for the Microsoft graph. I also tried accessing graph Api with this token and it worked. But what we want is to verify this token in our own spring microservice and grant permission based on jwt provided.

To solve this issue I had to make some config changes in our Azure registered Angular app. I have added a custom scope api://<>/app and use this scope while acquiring the token. Now the token is being validated in the backend and API working fine.

This config somehow works but doesn't seem correct to me. I am new to azure so am not sure how all things tie-up.

  1. The new token which is now being generated has an audience as our angular spa client Id. Is this correct? Shouldn't it be the backend service? Any why it's getting validated by the backend with the current configuration?
  2. My understanding is that we don't have to register our spring microservice with Azure Ad. I will just act as a resource server and will decode the token provided by the angular app using the issuer-url.
  3. In case we need to register our backend services with azure AD then would it be difficult to do the same for all microservices?

I have done all settings by referencing. https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html

In some other links, I find a completely different config for setting up backend service. I am not sure which one is correct. https://learn.microsoft.com/en-us/java/api/overview/azure/active-directory-spring-boot-starter-readme?view=azure-java-stable

Solution

  • Azure AD is a little confusing when following a standards based approach. I wrote a blog post on this a couple of years back:

    • You have already figured out that you need at least one API registration to work, to expose an API scope - so that you get usable access tokens

    • The generated id from the API entry in Azure then becomes your audience, as in step 9 of the article.

    What we'd really like to do is this, so that we can do things like forward the JWT in microservice to microservice calls:

    • Get Azure AD to issue an audience claim such as api.mycompany.com that is common to all microservices

    • Issue multiple scopes in the access tokens, based on areas of data in microservices - as in this Curity doc

    I would aim for a single entry in Azure AD to represent your platform of APIs. Then each microservice can use the same generated audience value.

    Hopefully you can get multiple custom scopes to work also, though there are some annoyances here, especially when you want to use built in OpenID Connect User Info scopes, which Azure AD exposes via the Graph API.