{"id":15430514,"url":"https://github.com/lenisha/spring-aad-samples","last_synced_at":"2026-05-03T19:32:35.923Z","repository":{"id":116070872,"uuid":"446887768","full_name":"lenisha/spring-aad-samples","owner":"lenisha","description":"Securing Spring Boot REST API with Azure AD","archived":false,"fork":false,"pushed_at":"2022-01-12T21:39:39.000Z","size":2440,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-18T06:16:08.590Z","etag":null,"topics":["azureactivedirectory","azuread","oidc","spring-security","springboot"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lenisha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-11T15:58:05.000Z","updated_at":"2022-01-12T15:36:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"9bccb07b-3666-4c46-aab5-cd20d793918c","html_url":"https://github.com/lenisha/spring-aad-samples","commit_stats":{"total_commits":28,"total_committers":1,"mean_commits":28.0,"dds":0.0,"last_synced_commit":"4cac37020ddbf7cadfe79eb52d12e2924cb7c4ba"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fspring-aad-samples","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fspring-aad-samples/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fspring-aad-samples/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lenisha%2Fspring-aad-samples/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lenisha","download_url":"https://codeload.github.com/lenisha/spring-aad-samples/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245977077,"owners_count":20703585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azureactivedirectory","azuread","oidc","spring-security","springboot"],"created_at":"2024-10-01T18:16:47.462Z","updated_at":"2026-05-03T19:32:30.902Z","avatar_url":"https://github.com/lenisha.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Securing Spring with Azure AD\n\nThis repo contains two examples using Spring Boot REST API secured with Azure AD OAuth2\n\n- [Microsft Azure AD SpringBoot Starter](./ms-aad-restapi)\n- [Spring Security OAuth 2.0](./spring-security-restapi)\n\nBoth examples provide libraries and integration to secure REST API (resource server in OAuth 2.0 jargon) with JWT Tokens.\nIn both examples we will use same AzureAD app registrations and tests defined in `tests.http\" are using client credentials grant to obtain the token and invoke API.\n\n- [Setup Azure API and Client App Registrations](#setup-azure-api-and-client-app-registrations)\n- [Microsoft Spring Starter for Azure AD](#microsoft-spring-starter-for-azure-ad)\n- [Spring Security with Azure AD](#spring-security-with-azure-ad)\n- [Testing with REST Client](#testing-with-rest-client)\n- [Testing with Postman](#testing-with-postman)\n  - [Authorization Code Grant](#authorization-code-grant)\n  - [Client Creds Code Grant](#client-creds-code-grant)\n- [Setting Scopes for the API](#setting-scopes-for-the-api)\n\n\n## Setup Azure API and Client App Registrations\n\nFor this example we will simulate two components API Client and API REST Application.\n\n- API REST Application Registration is used by REST API, resource server for the api will validat that JWT tokens have this app registration as `audience`. [Optional setup] This App registration  defines Role exposed by the applications - `Admin` for advanced administrative methods.\n\n- API Client Application is used by REST Client and optionally granted role `Admin` to be able to invoke advanced methods, will get 403 if `/admin` call ig foles not granted.\n\nFollow the docs to \n- [Register the App in AAD](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)\n- [[Optionally] Add Roles to your applications](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#assign-app-roles-to-applications)\n\nIn our example here is the setup:\n\n- Create REST API App Registration `MSAADDemoAPI` and define a role `Admin` exposed by API\n![docs](docs/appid.jpg)\n![docs](docs/apiclientrole.jpg)\n\n\n- Create Client App Registration `MSAADDemoAPIClient` , create secret and grant it role `Admin`\n\n![docs](docs/clientapirole.jpg)\n\n\n- [Optionally] Add Role to the user to test Authorization Code Flow. Naviagte to Managed App and add user role\n![docs](docs/AddUserRole.jpg)\n\n\n## Microsoft Spring Starter for Azure AD\nThis example is using Microsoft Azure AD Spring Starter that implements all OIDC flows with AzureAD and hides any AAD setup complexity.\n[Microsft Azure AD SpringBoot Starter](./ms-aad-restapi)\n\n## Spring Security with Azure AD\nThis example provides code that is vendor neutral and is using Apringbott Security Module and configuration pointing to OIDC well known config for AAD.\n\n[Spring Security OAuth 2.0](./spring-security-restapi)\n\n## Testing with REST Client \n\nIn both examples we will use same AzureAD app registrations and tests defined in `tests.http\" are using client credentials grant to obtain the token and invoke API. You will need to install  [Rest Client](https://marketplace.visualstudio.com/items?itemName=humao.rest-client) extension in VSCode to run it.\n\n- To obtain Azure AD Token via client_credential flow [Client Credential Flow and default scope](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#client-credentials-grant-flow-and-default) we will use following HTTP request in `tests.http` \n- Replace values for tenant and app registrations in `tests.http` variables or you could optionally set the Rest Client Environment in vscode settings.json See https://courses.codewithandrea.com/courses/783023/lectures/14364306\n![docs](docs/RestEnv.jpg)\n\n\n``` \nPOST https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/token\nHost: login.microsoftonline.com\nContent-Type: application/x-www-form-urlencoded\n\nclient_id={{appclient_id}}\n\u0026client_secret={{appclient_secret}}\n\u0026grant_type=client_credentials\n\u0026scope={{apiapp_id}}/.default\n\u0026request_type=token\n```\n\nScope is always \u003cresource app id\u003e/.default for client_credentials , it will also be used by AAD to set audience in the token\n![docs](docs/accesstoken.jpg)\n\nYou could verify content of the token at https://jwt.ms, our decoded token - you will see `roles` if granted to client application\n```json\n{\n  \"aud\": \"\u003capiclient_id\u003e\",\n  \"iss\": \"https://sts.windows.net/\u003ctenantid\u003e/\",\n  \"iat\": 1641967979,\n  \"nbf\": 1641967979,\n  \"exp\": 1641971879,\n  \"aio\": \"E2ZgYBCJvVemV+f5aMUG3y6TuQ8YAA==\",\n  \"appid\": \"\u003cappclient_id\u003e\",\n  \"appidacr\": \"1\",\n  \"idp\": \"https://sts.windows.net/\u003ctenantid\u003e/\",\n  \"oid\": \"xxxx\",\n  \"rh\": \"0.AVEA-1rmm50Wt0W8wph-dDYql0aDHVId4mBMs_NAAvwUmBdRAAA.\",\n  \"roles\": [\n    \"AdminRole\"\n  ],\n  \"sub\": \"xxxx\",\n  \"tid\": \"\u003ctenantid\u003e\",\n  \"uti\": \"vrxcAQO3UUiejUZa1Z6-AQ\",\n  \"ver\": \"1.0\"\n}\n```\n- Run Spring application `mvn spring-boot:run` and test endpoints ( you will receiev 403 in /admin if role not granted )\n```\nGET http://localhost:8080/echo\nAuthorization: Bearer {{getToken.response.body.access_token}}\n\nGET http://localhost:8080/admin\nAuthorization: Bearer {{getToken.response.body.access_token}}\n```\n\n\n## Testing with Postman\n\nPostman app allows for easy setup and tests for [Authorization Code grant](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) that issues tokens for users - useful for web applications that have authenticated end users and need to obtain token to call Rest API\n\n- Import Postma collection `ADTests.postman_collection.json` that has two flows AuthZ Code Grant and Client Credentials\n- Setup environment that would define your `appclient_id`, `appclient_secret`, `apiclient_id` and `tenantid`\n\n### Authorization Code Grant\n- Verify URLS in Authorization and obtain token\n\n![docs](docs/AuthCodeSetting.jpg)\n![docs](docs/AuthCodeAdvanced.jpg)\n\nwhere:\n```\n- Authorization URL: https://login.microsoftonline.com/{{tenantid}}/oauth2/authorize\n- Token URL: https://login.microsoftonline.com/{{tenantid}}/oauth2/token\n- Grant Type: Authorization Code\n- ClientID and Secret are set to values for Application Client App Registration\n- [Optionally] Scope (see below the setup):  api://{{apiclient_id}}/Admin\n- Important!! Resource: points to REST API App Registration ID as it will be used in audience \n```\nObtain the token  and decode it in `jwt.ms` you would see `User token` for the currently authenticated user. It will ask for consent to grant if used by user first time.\n\nRefer to https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#payload-claims for more details on token fields.\nToken will have `aud` set to app registration id for REST API (same as in application.yaml), `roles` with Roles associated with User. And optionally `scp` set to the requested scope (only avilable in user tokens)\n\n```\n{\n  \"aud\": \"83ef8978-xxxx \u003capiclient-id used in resource field\u003e\",\n  \"iss\": \"https://sts.windows.net/\u003ctenantid\u003e/\",\n  \"iat\": 1642016283,\n  \"nbf\": 1642016283,\n  \"exp\": 1642020452,\n  \"acr\": \"1\",\n  \"aio\": \"AXQAi/8TAAAAPUBBoB8/e1hNkutJ2eWul5qq2M+f9Lv+Ws/wo4rtW4BodOpDnuQMiKlajg8muugT/b5D2Oduu42Nflpf+0m+Bv+ZL8N+Bd4T9ueOxOgcf8yLYoFx0QGzuJ6YtXnUPm+nmHXNQa0jXqShRqpBdWQ19g==\",\n  \"amr\": [\n    \"pwd\",\n    \"rsa\"\n  ],\n  \"appid\": \"521d8346-xxxx \u003cappclient-id\u003e\",\n  \"appidacr\": \"1\",\n  \"email\": \"eneros@microsoft.com\",\n  \"idp\": \"https://sts.windows.net/tenant/\",\n  \"ipaddr\": \"76.78.16.222\",\n  \"name\": \"Elena Neroslavskaya\",\n  \"oid\": \"fc10c12d-xxxxx\",\n  \"rh\": \"0.AVEA-1rmm50Wt0W8wph-dDYql0aDHVId4mBMs_NAAvwUmBdRAMc.\",\n  \"roles\": [\n    \"AdminRole\"\n  ],\n  \"scp\": \"Admin\",\n  \"sub\": \"CSA-sQ-fxr1i7KPrDVzhpZ1FjPwRuIh_iE7HiUsagUk\",\n  \"tid\": \"tenant\",\n  \"unique_name\": \"eneros@microsoft.com\",\n  \"uti\": \"-HQQbKuUcESbh02S3vsSAA\",\n  \"ver\": \"1.0\"\n}\n```\n\n- verify app endpoints `/echo`, `/admin` and `/adminscope` should work\n\n### Client Creds Code Grant\n- Verify settings Authorization and obtain token\n\n![docs](docs/ClientCredSettings.jpg)\n![docs](docs/ClientCredAdvSettings.jpg)\n\nwhere:\n```\n- Token URL: https://login.microsoftonline.com/{{tenantid}}/oauth2/token\n- Grant Type:Client Credentials\n- ClientID and Secret are set to values for Application Client App Registration\n- [Optionally] Scope (see below the setup):  api://{{apiclient_id}}/.default\n- Important!! Resource: points to REST API App Registration ID as it will be used in audience \n```\nObtain the token  and decode it in `jwt.ms` you would see `SP token` for the client application registration. \n\n```json\n{\n  \"aud\": \"83ef8978-xxx \u003capiclient_id\u003e\",\n  \"iss\": \"https://sts.windows.net/tenant/\",\n  \"iat\": 1642015217,\n  \"nbf\": 1642015217,\n  \"exp\": 1642019117,\n  \"aio\": \"E2ZgYHjp/+BUtt60hJgPy+7lfPtsBgA=\",\n  \"appid\": \"521d8346-\u003cappclient_id\u003e\",\n  \"appidacr\": \"1\",\n  \"idp\": \"https://sts.windows.net/tenant/\",\n  \"oid\": \"7369daa6-3797-xxxx\",\n  \"rh\": \"0.AVEA-1rmm50Wt0W8wph-dDYql0aDHVId4mBMs_NAAvwUmBdRAAA.\",\n  \"roles\": [\n    \"AdminRole\"\n  ],\n  \"sub\": \"7369daa6-xxxx\",\n  \"tid\": \"tenant\",\n  \"uti\": \"Y8f51RHiZ0ON5klEqOkJAA\",\n  \"ver\": \"1.0\"\n}\n```\n\n- verify app endpoints `/echo`, `/admin`  should work (scopes are not available in the client creds tokens)\n\n## Setting Scopes for the API\n\nYou could choose to use Scopes vs Roles to do Coarse-Grained Authorization\n\n- Add Scope to REST API App Registration\n![docs](docs//AddScope.jpg)\n\n- Grant Permission to the Scope to Client App Registration\n![docs](docs/GrantScope.jpg)\n\n\n[Aquire Token for AD](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=dotnet#azure-ad-v10-resources)\n[AAD and default scope](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flenisha%2Fspring-aad-samples","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flenisha%2Fspring-aad-samples","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flenisha%2Fspring-aad-samples/lists"}