Azure AD access token validation

Ashish Pukale 21 Reputation points
2022-06-10T04:44:28.757+00:00

Hi,
We have a SPA in Angular JS and Spring boot at backend.
On azure AD web api is exposed with user_access scope.
SPA does the authentication of user and gets the access token as part of redirect URI.
Now SPA calls the spring boot backend API attaching access token as Bearer in header.
Could you please help with validation of this access token using spring boot.
The examples shared on azure uses azure library.
I am able to validate the ID token via spring boot but not the Access token. I see access denied message while validation.
I am looking more generic solution to validate the access token using spring boot security.
We are using OAuth2.0 Open ID connect flow.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,601 questions
0 comments
Accepted answer
  1. Shweta Mathur 27,786 Reputation points Microsoft Employee
    2022-06-10T09:29:34.783+00:00

    Hi @Ashish Pukale ,

    Thanks for reaching out.

    I understand you are trying to validate the access token using spring boot security.

    Access tokens are signed by Azure AD and application should check if their signature is correct. Azure AD has an endpoint with the public key to do so, which we have to configure in application.

    A first option is to configure the issuer URI so that it can find the correct endpoint in the discovery document. The discovery document is a convenience endpoint where a lot of the client configuration can be found, including the web keys endpoint.

    You can find the discovery document by appending .well-known/openid-configuration to the issuer URI. 

    application.properties  
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/<<<tenant_id>>>/v2.0/

    Alternatively, you can search the keys endpoint ourselves in the discovery document and then provide this JSON web key (JWK) endpoint straight away: 

    application.properties  
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://login.microsoftonline.com/<<<tenant_id>>>/discovery/v2.0/keys

    Please find the reference to implement security config in java to validate the token
    https://github.com/Azure-Samples/ms-identity-java-webapi/blob/edbd399155341556e3871065d1b8b4be2e9cbce0/msal-obo-sample/src/main/java/com/microsoft/azure/msalobosample/SecurityResourceServerConfig.java

    Hope this will help.

    Thanks,
    Shweta

    ----------------------------------

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wagner Costa 5 Reputation points
    2023-03-31T15:36:03.3566667+00:00

    I have the same question, however, we are not using the Spring Cloud security libs, we have an Api Gateway Sensedia in front, but I would like to open this token to get the user data (oid) in Azure AD B2C, is there any endpoint that I be able to make the call without needing to configure spring.security.oauth2 resources?

    Example: curl --location 'https://graph.microsoft.com/v1.0/me' --header 'Authorization: Bearer {{tokenUsers}}'

    0 comments