Search code examples
azure-active-directoryspring-security-oauth2

Spring boot oauth2 client with Azure AD, but common tenantID

I've set azure parameters with tenantID, everything works well for user from my company in the AD. But i want to authentify external users (Manifest with "signInAudience": "AzureADandPersonalMicrosoftAccount").

The doc says that i should replace the tenant-id with "common" for the token and authorize urls.

I've configured spring boot oauth2 client with

spring:
  security:
    oauth2:
      client:
             provider:
                azure:
                    issuer-uri: "https://login.microsoftonline.com/XXXXXXXXXXX/v2.0"
                    token-uri: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
                    authorization-uri: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
                    user-info-uri: "https://graph.microsoft.com/oidc/userinfo"
                    jwk-set-uri: "https://login.microsoftonline.com/XXXXXXXXXXX/discovery/v2.0/keys"

I've an exception:

Signed JWT rejected: Another algorithm expected, or no matching key(s) found The jwt is not validated, nothing match, the kid in the jwt header is not in the list https://login.microsoftonline.com/XXXX/discovery/v2.0/keys

In another and, if I set
jwk-set-uri: https://login.microsoftonline.com/common/discovery/v2.0/keys

it contains the right kid, but the token is rejected with this exception:

[invalid_id_token] The ID Token contains invalid claims: {iss=https://login.microsoftonline.com/XXXXX/v2.0}

What is the right way to integrate AzureAD with external users?

Solution

  • The value you put as issuer-uri in your conf must be exactly the value of the iss claim in your tokens (even the trailing slash, if any, is important).

    If you have more than one possible issuers for the tokens you want to accept, then you are in a typical multi-tenant scenario. If all this tenants are known at startup (for instance https://login.microsoftonline.com/XXXXXXXXXXX/v2.0 and https://login.microsoftonline.com/common/discovery/v2.0), then it is "static" multi-tenancy that you can implement by configuring the authentication manager as stated in the "Resolving the Tenant By Claim" section of the doc I linked, or by using my starter which allows to do that with just application properties.