Azure · yiliuTo · Feb 3, 2021 · Feb 1, 2021 · Feb 1, 2021 · Feb 2, 2021
diff --git a/...e-spring-boot-test-aad/src/test/java/com/azure/test/aad/selenium/AADSeleniumITHelper.java b/...e-spring-boot-test-aad/src/test/java/com/azure/test/aad/selenium/AADSeleniumITHelper.java
@@ -63,4 +63,10 @@ public void logoutTest() {
         Assert.assertEquals(username, id);
     }
 
+    public String IncrementalConsent(String endpoint) {
+        driver.get((app.root() + endpoint));
+        wait.until(ExpectedConditions.elementToBeClickable(By.cssSelector("input[type='submit']"))).click();
+        return wait.until(presenceOfElementLocated(By.tagName("body"))).getText();
+    }
+
 }
diff --git a/...pring-boot-test-aad/src/test/java/com/azure/test/aad/selenium/ondemand/AADOnDemandIT.java b/...pring-boot-test-aad/src/test/java/com/azure/test/aad/selenium/ondemand/AADOnDemandIT.java
@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.test.aad.selenium.ondemand;
+
+import com.azure.test.aad.selenium.AADSeleniumITHelper;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Test;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Map;
+
+import static com.azure.spring.test.EnvironmentVariable.AAD_USER_NAME_ON_DEMAND;
+import static com.azure.spring.test.EnvironmentVariable.AAD_USER_PASSWORD_ON_DEMAND;
+import static com.azure.test.aad.selenium.AADSeleniumITHelper.createDefaultProperties;
+
+public class AADOnDemandIT {
+    private AADSeleniumITHelper aadSeleniumITHelper;
+
+    @Test
+    public void onDemandTest() {
+        Map<String, String> properties = createDefaultProperties();
+        properties.put("azure.activedirectory.authorization-clients.arm.scopes",
+            "https://management.azure.com/user_impersonation");
+        properties.put("azure.activedirectory.authorization-clients.arm.on-demand", "true");
+
+        aadSeleniumITHelper = new AADSeleniumITHelper(DumbApp.class, properties,
+            AAD_USER_NAME_ON_DEMAND, AAD_USER_PASSWORD_ON_DEMAND);
+        aadSeleniumITHelper.logIn();
+
+        String httpResponse = aadSeleniumITHelper.httpGet("api/azure");
+        Assert.assertTrue(httpResponse.contains("azure"));
+
+        httpResponse = aadSeleniumITHelper.IncrementalConsent("api/arm");
+        Assert.assertTrue(httpResponse.contains("arm"));
+    }
+
+    @After
+    public void destroy() {
+        aadSeleniumITHelper.destroy();
+    }
+
+    @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
+    @SpringBootApplication
+    @RestController
+    public static class DumbApp {
+
+        @GetMapping(value = "/api/azure")
+        public ResponseEntity<String> azure(
+            @RegisteredOAuth2AuthorizedClient("azure") OAuth2AuthorizedClient authorizedClient) {
+            return ResponseEntity.ok("azure");
+        }
+
+        @GetMapping(value = "/api/arm")
+        public ResponseEntity<String> arm(
+            @RegisteredOAuth2AuthorizedClient("arm") OAuth2AuthorizedClient authorizedClient) {
+            return ResponseEntity.ok("arm");
+        }
+    }
+}
diff --git a/.../azure-spring-boot-test-core/src/main/java/com/azure/spring/test/EnvironmentVariable.java b/.../azure-spring-boot-test-core/src/main/java/com/azure/spring/test/EnvironmentVariable.java
@@ -21,8 +21,10 @@ public class EnvironmentVariable {
     public static final String AAD_TENANT_ID_2 = System.getenv("AAD_TENANT_ID_2");
     public static final String AAD_USER_NAME_1 = System.getenv("AAD_USER_NAME_1");
     public static final String AAD_USER_NAME_2 = System.getenv("AAD_USER_NAME_2");
+    public static final String AAD_USER_NAME_ON_DEMAND = System.getenv("AAD_USER_NAME_ON_DEMAND");
     public static final String AAD_USER_PASSWORD_1 = System.getenv("AAD_USER_PASSWORD_1");
     public static final String AAD_USER_PASSWORD_2 = System.getenv("AAD_USER_PASSWORD_2");
+    public static final String AAD_USER_PASSWORD_ON_DEMAND = System.getenv("AAD_USER_PASSWORD_ON_DEMAND");
     public static final String AZURE_KEYVAULT2_URI = System.getenv("AZURE_KEYVAULT2_URI");
     public static final String AZURE_KEYVAULT_URI = System.getenv("AZURE_KEYVAULT_URI");
     public static final String AZURE_STORAGE_ACCOUNT_KEY = System.getenv("AZURE_STORAGE_ACCOUNT_KEY");

diff --git a/sdk/spring/tests.yml b/sdk/spring/tests.yml
@@ -75,6 +75,19 @@ jobs:
           AAD_B2C_USER_PASSWORD: $(java-spring-aad-b2c-user-password)
           AAD_B2C_CLIENT_ID: $(java-spring-aad-b2c-client-id)
           AAD_B2C_CLIENT_SECRET: $(java-spring-aad-b2c-client-secret)
+          AAD_USER_NAME_ON_DEMAND: "user$(System.JobId)@aadittest1.onmicrosoft.com"
+          AAD_USER_PASSWORD_ON_DEMAND: $(java-spring-aad-user-password-1)
+          AAD_SERVICE_PRICIPAL_CLIENT_ID: $(java-spring-aad-service-principal-client-id)
+          AAD_SERVICE_PRICIPAL_CLIENT_SECRET: $(java-spring-aad-service-principal-client-secret)
+
+        PreRunSteps:
+          - powershell: |
+              az login --allow-no-subscriptions --tenant $(java-spring-aad-tenant-id-1) --service-principal -u $(java-spring-aad-service-principal-client-id) -p $(java-spring-aad-service-principal-client-secret)
+              az ad user create --user-principal-name "$env:AAD_USER_NAME_ON_DEMAND" --display-name "user$(System.JobId)" --password "$(java-spring-aad-user-password-1)" --force-change-password-next-login false
+              az logout
+            env:
+              AAD_USER_NAME_ON_DEMAND: "user$(System.JobId)@aadittest1.onmicrosoft.com"
+            displayName: 'Create On-demand test user'
 
         PostRunSteps:
           - script: |
@@ -122,4 +135,17 @@ jobs:
               AAD_B2C_PROFILE_EDIT: "B2C_1_profileediting1"
               AAD_B2C_USER_PASSWORD: $(java-spring-aad-b2c-user-password)
               AAD_B2C_CLIENT_ID: $(java-spring-aad-b2c-client-id)
-              AAD_B2C_CLIENT_SECRET: $(java-spring-aad-b2c-client-secret)
+              AAD_B2C_CLIENT_SECRET: $(java-spring-aad-b2c-client-secret)
+              AAD_USER_NAME_ON_DEMAND: "user$(System.JobId)@aadittest1.onmicrosoft.com"
+              AAD_USER_PASSWORD_ON_DEMAND: $(java-spring-aad-user-password-1)
+              AAD_SERVICE_PRICIPAL_CLIENT_ID: $(java-spring-aad-service-principal-client-id)
+              AAD_SERVICE_PRICIPAL_CLIENT_SECRET: $(java-spring-aad-service-principal-client-secret)
+
+          - powershell: |
+              az login --allow-no-subscriptions --tenant $(java-spring-aad-tenant-id-1) --service-principal -u $(java-spring-aad-service-principal-client-id) -p $(java-spring-aad-service-principal-client-secret)
+              az ad user delete --id "$env:AAD_USER_NAME_ON_DEMAND"
+              az logout
+            env:
+              AAD_USER_NAME_ON_DEMAND: "user$(System.JobId)@aadittest1.onmicrosoft.com"
+            condition: always()
+            displayName: 'Delete On-demand test user'