We have a web application (login page, etc) that calls a backend server (JWT) for all services. The backend server also exposes multiple API's (REST, SOAP) that utilize HTTP Basic Authentication. I am looking to migrating to OpenIDConnect and OAuth2 with the Spring Security toolset. I am trying to understand the correct configuration and the best way to integrate with identity providers like AzureAD.
The web application sounds like a OAuth Web application and a OAuth2 client. The backend server sounds like an OAuth resource servers for multiple API's.
What is the best way to model in AzureAD?
Looking for any insight and recommendations. Thanks
Note that: By having separate client IDs for every it will be easy to monitor and manage permissions for each API separately.
Implementing common authorities pool will make application's configuration easier but difficult to monitor and manage permissions for each API if there are more APIs.
Hence, you can try creating separate Azure AD Application for every API (REST, SOAP). It is useful for auditing and security purposes.
Based on your requirement, you can make use Authentication Flows to authentication the Application.
Create an Azure AD Application and add API permissions:
Generate an access token to call the API:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
When I decoded the token, the assigned permissions are displayed like below:
By using the above access token, you can call the API:
GET https://graph.microsoft.com/v1.0/users