validate access token

eng/versioning/external_dependencies.txt

@@ -110,6 +110,7 @@ org.springframework.kafka:spring-kafka;2.5.7.RELEASE
 org.springframework.security:spring-security-config;5.3.5.RELEASE
 org.springframework.security:spring-security-core;5.3.5.RELEASE
 org.springframework.security:spring-security-oauth2-client;5.3.5.RELEASE
+org.springframework.security:spring-security-oauth2-resource-server;5.3.5.RELEASE
 org.springframework.security:spring-security-oauth2-core;5.3.5.RELEASE
 org.springframework.security:spring-security-oauth2-jose;5.3.5.RELEASE
 org.springframework.security:spring-security-web;5.3.5.RELEASE

sdk/spring/azure-spring-boot/pom.xml

@@ -81,6 +81,12 @@
       <version>5.3.5.RELEASE</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
       <optional>true</optional>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-oauth2-resource-server</artifactId>
+      <version>5.3.5.RELEASE</version> <!-- {x-version-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
+      <optional>true</optional>
+    </dependency>
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-oauth2-jose</artifactId>
@@ -336,6 +342,7 @@
                 <include>org.springframework.security:spring-security-config:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-config;external_dependency} -->
                 <include>org.springframework.security:spring-security-core:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-core;external_dependency} -->
                 <include>org.springframework.security:spring-security-oauth2-client:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-client;external_dependency} -->
+                <include>org.springframework.security:spring-security-oauth2-resource-server:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-resource-server;external_dependency} -->
                 <include>org.springframework.security:spring-security-oauth2-jose:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-oauth2-jose;external_dependency} -->
                 <include>org.springframework.security:spring-security-web:[5.3.5.RELEASE]</include> <!-- {x-include-update;org.springframework.security:spring-security-web;external_dependency} -->
                 <include>org.apache.qpid:qpid-jms-client:[0.53.0]</include> <!-- {x-include-update;org.apache.qpid:qpid-jms-client;external_dependency} -->

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/implementation/AzureActiveDirectoryProperties.java

@@ -14,6 +14,7 @@ public class AzureActiveDirectoryProperties {
     private String uri;
     private String tenantId;
     private String clientId;
+    private String appIdUri;
     private String clientSecret;
 
     private Map<String, AuthorizationProperties> authorization = new HashMap<>();
@@ -54,6 +55,14 @@ public void setAuthorization(Map<String, AuthorizationProperties> authorization)
         this.authorization = authorization;
     }
 
+    public String getAppIdUri() {
+        return appIdUri;
+    }
+
+    public void setAppIdUri(String appIdUri) {
+        this.appIdUri = appIdUri;
+    }
+
     public Map<String, AuthorizationProperties> getAuthorization() {
         return authorization;
     }

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/resource/server/AzureActiveDirectoryResourceServerConfiguration.java

@@ -0,0 +1,94 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.spring.aad.resource.server;
+
+
+import com.azure.spring.aad.implementation.AzureActiveDirectoryProperties;
+import com.azure.spring.aad.implementation.IdentityEndpoints;
+import com.azure.spring.aad.resource.server.validator.AzureJwtAudienceValidator;
+import com.azure.spring.aad.resource.server.validator.AzureJwtIssuerValidator;
+import java.util.ArrayList;
+import java.util.List;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
+import org.springframework.util.StringUtils;
+
+/**
+ * <p>
+ * The configuration will not be activated if no {@link BearerTokenAuthenticationToken} class provided.
+ * <p>
+ * By default, creating a JwtDecoder through JwkKeySetUri will be auto-configured.
+ */
+@Configuration(proxyBeanMethods = false)
+@EnableConfigurationProperties({AzureActiveDirectoryProperties.class})
+@ConditionalOnClass(BearerTokenAuthenticationToken.class)
+public class AzureActiveDirectoryResourceServerConfiguration {
+
+    @Autowired
+    private AzureActiveDirectoryProperties azureActiveDirectoryProperties;
+
+    /**
+     * Use JwkKeySetUri to create JwtDecoder
+     *
+     * @return JwtDecoder bean
+     */
+    @Bean
+    @ConditionalOnMissingBean(JwtDecoder.class)
+    public JwtDecoder jwtDecoderByJwkKeySetUri() {
+        if (StringUtils.isEmpty(azureActiveDirectoryProperties.getTenantId())) {
+            azureActiveDirectoryProperties.setTenantId("common");
+        }
+        IdentityEndpoints identityEndpoints = new IdentityEndpoints(azureActiveDirectoryProperties.getUri());
+        NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder
+            .withJwkSetUri(identityEndpoints.jwkSetEndpoint(azureActiveDirectoryProperties.getTenantId())).build();
+        List<OAuth2TokenValidator<Jwt>> validators = createDefaultValidator();
+        nimbusJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(validators));
+        return nimbusJwtDecoder;
+    }
+
+    public List<OAuth2TokenValidator<Jwt>> createDefaultValidator() {
+        List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
+        if (!StringUtils.isEmpty(azureActiveDirectoryProperties.getAppIdUri())) {
+            List<String> validAudiences = new ArrayList<>();
+            validAudiences.add(azureActiveDirectoryProperties.getAppIdUri());
+            validators.add(new AzureJwtAudienceValidator(validAudiences));
+        }
+        validators.add(new AzureJwtIssuerValidator());
+        validators.add(new JwtTimestampValidator());
+        return validators;
+    }
+
+    /**
+     * Default configuration class for using AAD authentication and authorization. User can write another configuration
+     * bean to override it.
+     */
+    @Configuration
+    @ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
+    @EnableWebSecurity
+    public static class DefaultAzureOAuth2ResourceServerWebSecurityConfigurerAdapter extends
+        WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
+                .oauth2ResourceServer()
+                .jwt()
+                .jwtAuthenticationConverter(new AzureJwtBearerTokenAuthenticationConverter());
+        }
+    }
+}
+

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/resource/server/AzureJwtBearerTokenAuthenticationConverter.java

@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.spring.aad.resource.server;
+
+import com.azure.spring.autoconfigure.aad.UserPrincipal;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.JWTClaimsSet.Builder;
+import java.text.ParseException;
+import java.util.Collection;
+import java.util.Map.Entry;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+/**
+ * A {@link Converter} that takes a {@link Jwt} and converts it into a {@link PreAuthenticatedAuthenticationToken}.
+ */
+public class AzureJwtBearerTokenAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(AzureJwtBearerTokenAuthenticationConverter.class);
+    private final JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
+
+    public AzureJwtBearerTokenAuthenticationConverter() {
+    }
+
+    @Override
+    public AbstractAuthenticationToken convert(Jwt jwt) {
+        OAuth2AccessToken accessToken = new OAuth2AccessToken(
+            OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
+        AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
+        Collection<GrantedAuthority> authorities = token.getAuthorities();
+        JWTClaimsSet.Builder builder = new Builder();
+        for (Entry<String, Object> entry : jwt.getClaims().entrySet()) {
+            builder.claim(entry.getKey(), entry.getValue());
+        }
+        JWTClaimsSet jwtClaimsSet = builder.build();
+        JWSObject jwsObject = null;
+        try {
+            jwsObject = JWSObject.parse(accessToken.getTokenValue());
+        } catch (ParseException e) {
+            LOGGER.error(
+                e.getMessage() + ". When create an instance of JWSObject, an exception is resolved on the token.");
+        }
+        UserPrincipal userPrincipal = new UserPrincipal(accessToken.getTokenValue(), jwsObject, jwtClaimsSet);
+        return new PreAuthenticatedAuthenticationToken(userPrincipal, null, authorities);
+    }
+}

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/resource/server/package-info.java

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+/**
+ * Package com.azure.spring.aad.resource.server
+ */
+package com.azure.spring.aad.resource.server;

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/resource/server/validator/AzureJwtAudienceValidator.java

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.spring.aad.resource.server.validator;
+
+import com.azure.spring.autoconfigure.aad.AADTokenClaim;
+import java.util.List;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtClaimValidator;
+import org.springframework.util.Assert;
+
+/**
+ * Validates the "aud" claim in a {@link Jwt}, that is matches a configured value
+ */
+public class AzureJwtAudienceValidator implements OAuth2TokenValidator<Jwt> {
+
+    private final JwtClaimValidator<List<String>> validator;
+
+    /**
+     * Constructs a {@link AzureJwtAudienceValidator} using the provided parameters
+     *
+     * @param audiences - The audience that each {@link Jwt} should have.
+     */
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    public AzureJwtAudienceValidator(List<String> audiences) {
+        Assert.notNull(audiences, "audiences cannot be null");
+        this.validator = new JwtClaimValidator(AADTokenClaim.AUD, aud -> audiences.containsAll((List<String>) aud));
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public OAuth2TokenValidatorResult validate(Jwt token) {
+        Assert.notNull(token, "token cannot be null");
+        return this.validator.validate(token);
+    }
+
+
+}

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/resource/server/validator/AzureJwtIssuerValidator.java

@@ -0,0 +1,51 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.spring.aad.resource.server.validator;
+
+import com.azure.spring.autoconfigure.aad.AADTokenClaim;
+import java.util.function.Predicate;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtClaimValidator;
+import org.springframework.util.Assert;
+
+/**
+ * Validates the "iss" claim in a {@link Jwt}, that is matches a configured value
+ */
+public class AzureJwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
+
+    private static final String LOGIN_MICROSOFT_ONLINE_ISSUER = "https://login.microsoftonline.com/";
+    private static final String STS_WINDOWS_ISSUER = "https://sts.windows.net/";
+    private static final String STS_CHINA_CLOUD_API_ISSUER = "https://sts.chinacloudapi.cn/";
+    private final JwtClaimValidator<String> validator;
+
+    /**
+     * Constructs a {@link AzureJwtIssuerValidator} using the provided parameters
+     */
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    public AzureJwtIssuerValidator() {
+        this.validator = new JwtClaimValidator(AADTokenClaim.ISS, validIssuer());
+    }
+
+    private Predicate<String> validIssuer() {
+        return iss -> {
+            if (iss == null) {
+                return false;
+            }
+            return iss.startsWith(LOGIN_MICROSOFT_ONLINE_ISSUER)
+                || iss.startsWith(STS_WINDOWS_ISSUER)
+                || iss.startsWith(STS_CHINA_CLOUD_API_ISSUER);
+        };
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public OAuth2TokenValidatorResult validate(Jwt token) {
+        Assert.notNull(token, "token cannot be null");
+        return this.validator.validate(token);
+    }
+
+}

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationProperties.java

@@ -4,21 +4,20 @@
 package com.azure.spring.autoconfigure.aad;
 
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
-import org.springframework.validation.annotation.Validated;
-
-import javax.annotation.PostConstruct;
-import javax.validation.constraints.NotEmpty;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
+import javax.annotation.PostConstruct;
+import javax.validation.constraints.NotEmpty;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
+import org.springframework.validation.annotation.Validated;
 
 /**
  * Configuration properties for Azure Active Directory Authentication.

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADTokenClaim.java

@@ -11,4 +11,6 @@ public class AADTokenClaim {
     public static final String NAME = "name";
     public static final String TID = "tid";
     public static final String ROLES = "roles";
+    public static final String ISS = "iss";
+    public static final String AUD = "aud";
 }

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/UserPrincipal.java

@@ -105,6 +105,10 @@ public String getName() {
         return jwtClaimsSet == null ? null : (String) jwtClaimsSet.getClaim("name");
     }
 
+    public String getTenantId() {
+        return jwtClaimsSet == null ? null : (String) jwtClaimsSet.getClaim("tid");
+    }
+
     public String getUserPrincipalName() {
         return jwtClaimsSet == null ? null : (String) jwtClaimsSet.getClaim("preferred_username");
     }

sdk/spring/azure-spring-boot/src/main/resources/META-INF/spring.factories

@@ -3,6 +3,7 @@ org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
 com.azure.spring.autoconfigure.aad.AADAuthenticationFilterAutoConfiguration,\
 com.azure.spring.autoconfigure.aad.AADOAuth2AutoConfiguration, \
 com.azure.spring.aad.implementation.AzureActiveDirectoryConfiguration,\
+com.azure.spring.aad.resource.server.AzureActiveDirectoryResourceServerConfiguration, \
 com.azure.spring.autoconfigure.b2c.AADB2CAutoConfiguration,\
 com.azure.spring.autoconfigure.cosmos.CosmosAutoConfiguration,\
 com.azure.spring.autoconfigure.cosmos.CosmosHealthConfiguration,\