Conversation
ZhuXiaoBing-cn
commented
Nov 13, 2020
ZhuXiaoBing-cn
commented
- add resource server autoconfiguration
- add audience validator
- add tenant validator
- add issuer validator
* add resource server autoconfiguration * add audience validator * add tenant validator * add issuer validator
ZhuXiaoBing-cn
requested review from
backwind1233,
chenrujun,
jialindai,
saragluna and
yiliuTo
as code owners
ghost
added
the
…re#17530) * Upgrade msal.js to a higher version to use PKCE.
| @EnableConfigurationProperties(AADAuthenticationProperties.class) | ||
| @ConditionalOnClass(name = {"org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken"}) | ||
| @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) | ||
| @ConditionalOnProperty(prefix = "azure.activedirectory", value = {"client-id", "client-secret", "tenant-id"}) |
There was a problem hiding this comment.
Why do we need these properties?
| @ConditionalOnMissingBean(JwtDecoder.class) | ||
| JwtDecoder jwtDecoderByJwkKeySetUri() { | ||
| IdentityEndpoints endpoints = new IdentityEndpoints(aadAuthenticationProperties.getUri()); | ||
| NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder |
There was a problem hiding this comment.
I see why the tenant id is required here, but why this prefix azure.activedirectory.resource is used here?
There was a problem hiding this comment.
So for the case of single-tenant app, the tenant id will be its tenant id. For multi-tenant app, it will be common?
There was a problem hiding this comment.
about azure.activedirectory.resource ,a hand by mistake,it will be modified.
So for the case of single-tenant app, the tenant id will be its tenant id. For multi-tenant app, it will be common?
yes
| private AADAuthenticationProperties aadAuthenticationProperties; | ||
|
|
||
| @Bean | ||
| @ConditionalOnProperty(prefix = "azure.activedirectory.resource", value = {"client-id", "tenant-id", |
There was a problem hiding this comment.
All these properties are not required right?
If tenant id is provided, we will construct the jwkset uri from the tenant id, otherwise we could use common?
If no client-id or app-id-uri is provided, we could skip the audience check?
There was a problem hiding this comment.
All these properties are not required right?
yes.
If tenant id is provided, we will construct the jwkset uri from the tenant id, otherwise we could use common?
If no client-id or app-id-uri is provided, we could skip the audience check?
Yes, you are right.
| List<String> validAudiences = new ArrayList<>(); | ||
| validAudiences.add(aadAuthenticationProperties.getClientId()); | ||
| validAudiences.add(aadAuthenticationProperties.getAppIdUri()); | ||
| validators.add(new AzureJwtIssuerValidator(aadAuthenticationProperties.getTenantId(), |
There was a problem hiding this comment.
Why are we using tenant ids to construct the issuer validator?
There was a problem hiding this comment.
Because the issuer in the form of "https://sts.windows.net/4acebda4-c077-434a-8675-c4b5afebc8da/", so I hope that by passing tenantId to construct corresponding issuer, then the access token of the 'iss' of claims to match.
|
|
||
| private List<String> assembleIssuer(String tenantId) { | ||
| List<String> issuers = new ArrayList<>(); | ||
| issuers.add(LOGIN_MICROSOFT_ONLINE_ISSUER + tenantId + "/"); |
There was a problem hiding this comment.
Do we need to check the tenant in issuer claim in this validator? Which doc are we following here?
| private final JwtClaimValidator<String> validator; | ||
|
|
||
| public AzureJwtTenantValidator(String tenantId, Set<String> allowedTenantids) { | ||
| Assert.notNull(tenantId, "tenantId cannot be null"); |
There was a problem hiding this comment.
We need both to be non-null here?
There was a problem hiding this comment.
Yes,It will be modified.
…earch to PhoneNumberReservation (Azure#17253) * Renaming from PhoneNumberSearch to PhoneNumberReservation * Renaming from PhoneNumberSearch to PhoneNumberReservation * Renaming from PhoneNumberSearch to PhoneNumberReservation * upadating readme samples * Renaming the model CreateSearchReponse and CreateSearchOptions * Fixing tests * Fixing tests * fixing typo un reservations
…e#17565) * Add AppConfig and Event Hubs samples for using exporters * Fix compiler warnings * Update sdk/monitor/microsoft-opentelemetry-exporter-azuremonitor/pom.xml * Update method names
* Improve Update-ChangeLog Logic * Updates to ChangeLog-Operations.ps1, copy-docs-to-blobstorage.ps1, Invoke-GitHubAPI.ps1 and Package-Properties.ps1 * More changeLog Logic Improvements * Update date parsing Co-authored-by: Chidozie Ononiwu <chononiw@microsoft.com>
… public to private (Azure#17576) * changing some public methods * updating Reade file * Fixing Readme
* [Service Bus] Remove viaPartitionKey * Remove unused imports
…be performed * tenantId is null, the default assignment is 'common' * The properties of AzureResourceServerAutoConfiguration made changes
|
What will be the configuration file looks like? |
|
We also need unit tests. |
* add unit tests * pom file add resource-server dependencies * spring.factories file add autoconfiguration
ZhuXiaoBing-cn
requested review from
alzimmermsft,
ankitarorabit,
anuchandy,
bsiegel,
conniey,
danieljurek and
hemanttanwar
as code owners
ZhuXiaoBing-cn
requested review from
a team,
JianpingChen,
JimSuplizio,
JonathanGiles,
RezaJooyandeh,
YijunXieMS,
jianghaolu,
joshfree,
minnieliu,
mitchdenny,
samvaity,
srnagar,
weshaggard and
yvgopal
as code owners
configuration file looks like: Configuration above, we will verify In the case of a multi-tenant, our application.properties: Under multi-tenant the azure.activedirectory.tenant-id will be configured as
|
10 participants
