Skip to content

Commit

Permalink
Fixes AAD application type validation (Azure#23716)
Browse files Browse the repository at this point in the history 
fixes application type validation
  • Loading branch information
Moary Chen authored Sep 1, 2021
1 parent 3df8973 commit 002e260
Show file tree
Hide file tree
Showing 18 changed files with 320 additions and 210 deletions.
13 changes: 13 additions & 0 deletions sdk/spring/azure-spring-boot-starter-active-directory/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,22 @@
### Breaking Changes

### Bugs Fixed
- Fix bug about application type validation. ([#23481](https://github.com/Azure/azure-sdk-for-java/issues/23481))

The latest application type relationship is as follows:

| Has dependency: spring-security-oauth2-client | Has dependency: spring-security-oauth2-resource-server | Valid values of application type | Default value |
|-----------------------------------------------|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------|-----------------------------|
| Yes | No | `web_application` | `web_application` |
| No | Yes | `resource_server` | `resource_server` |
| Yes | Yes | `web_application`,`resource_server`,`resource_server_with_obo`, `web_application_and_resource_server` | `resource_server_with_obo` |

### Deprecations
- Deprecate `azure.activedirectory.authorization-clients.xxx.on-demand`, use `azure.activedirectory.authorization-clients.xxx.authorization-grant-type` instead. If you are using `on-demand=true`, please change to `authorization-grant-type=authorization_code`.

### Other Changes


## 3.8.0 (2021-08-25)
This release is compatible with Spring Boot 2.5.0 - 2.5.3.
### Dependency Upgrades
Expand Down
10 changes: 5 additions & 5 deletions sdk/spring/azure-spring-boot-starter-active-directory/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -353,11 +353,11 @@ To use **aad-starter** in this scenario, we need these steps:

This property(`azure.activedirectory.application-type`) is optional, its value can be inferred by dependencies, only `web_application_and_resource_server` must be configured manually: `azure.activedirectory.application-type=web_application_and_resource_server`.

| Has dependency: spring-security-oauth2-client | Has dependency: spring-security-oauth2-resource-server | Valid values of application type | Default value |
|-----------------------------------------------|--------------------------------------------------------|-------------------------------------------------------------------|-----------------------------|
| Yes | No | `web_application` | `web_application` |
| No | Yes | `resource_server` | `resource_server` |
| Yes | Yes | `resource_server_with_obo`, `web_application_and_resource_server` | `resource_server_with_obo` |
| Has dependency: spring-security-oauth2-client | Has dependency: spring-security-oauth2-resource-server | Valid values of application type | Default value |
|-----------------------------------------------|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------|-----------------------------|
| Yes | No | `web_application` | `web_application` |
| No | Yes | `resource_server` | `resource_server` |
| Yes | Yes | `web_application`,`resource_server`,`resource_server_with_obo`, `web_application_and_resource_server` | `resource_server_with_obo` |

### Configurable properties

Expand Down
2 changes: 1 addition & 1 deletion ...source/server/AADWeiResourceServerIT.java → .../resource/server/AADResourceServerIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
import static org.junit.jupiter.api.Assertions.assertEquals;

@TestInstance(TestInstance.Lifecycle.PER_CLASS)
public class AADWeiResourceServerIT {
public class AADResourceServerIT {

private AADWebApiITHelper aadWebApiITHelper;

Expand Down
13 changes: 13 additions & 0 deletions sdk/spring/azure-spring-boot/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,22 @@
### Breaking Changes

### Bugs Fixed
- Fix bug about application type validation. ([#23481](https://github.com/Azure/azure-sdk-for-java/issues/23481))

The latest application type relationship is as follows:

| Has dependency: spring-security-oauth2-client | Has dependency: spring-security-oauth2-resource-server | Valid values of application type | Default value |
|-----------------------------------------------|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------|-----------------------------|
| Yes | No | `web_application` | `web_application` |
| No | Yes | `resource_server` | `resource_server` |
| Yes | Yes | `web_application`,`resource_server`,`resource_server_with_obo`, `web_application_and_resource_server` | `resource_server_with_obo` |

### Deprecations
- Deprecate `azure.activedirectory.authorization-clients.xxx.on-demand`, use `azure.activedirectory.authorization-clients.xxx.authorization-grant-type` instead. If you are using `on-demand=true`, please change to `authorization-grant-type=authorization_code`.

### Other Changes


## 3.8.0 (2021-08-25)
This release is compatible with Spring Boot 2.5.0 - 2.5.3.
### Dependency Upgrades
Expand Down
10 changes: 5 additions & 5 deletions sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/AADApplicationType.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@
* AAD application type.
* <p>The value can be inferred by dependencies, only 'web_application_and_resource_server' must be configured manually.</p>
* <pre>
* | Has dependency: spring-security-oauth2-client | Has dependency: spring-security-oauth2-resource-server | Valid values of application type | Default value |
* |-----------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------|-----------------------------|
* | Yes | No | 'web_application' | 'web_application' |
* | No | Yes | 'resource_server' | 'resource_server' |
* | Yes | Yes | 'resource_server_with_obo', 'web_application_and_resource_server' | 'resource_server_with_obo' |
* | Has dependency: spring-security-oauth2-client | Has dependency: spring-security-oauth2-resource-server | Valid values of application type | Default value |
* |-----------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------|-----------------------------|
* | Yes | No | 'web_application' | 'web_application' |
* | No | Yes | 'resource_server' | 'resource_server' |
* | Yes | Yes | 'web_application','resource_server','resource_server_with_obo', 'web_application_and_resource_server' | 'resource_server_with_obo' |
* </pre>
*/
public enum AADApplicationType {
Expand Down
2 changes: 1 addition & 1 deletion ...ng/azure-spring-boot/src/main/java/com/azure/spring/aad/AADOAuth2ClientConfiguration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ public class AADOAuth2ClientConfiguration {

@Bean
@ConditionalOnMissingBean
public AADClientRegistrationRepository clientRegistrationRepository(AADAuthenticationProperties properties) {
public ClientRegistrationRepository clientRegistrationRepository(AADAuthenticationProperties properties) {
return new AADClientRegistrationRepository(properties);
}

Expand Down
10 changes: 7 additions & 3 deletions ...pring-boot/src/main/java/com/azure/spring/aad/webapp/AADWebSecurityConfigurerAdapter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
Expand All @@ -27,7 +28,7 @@
public abstract class AADWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

@Autowired
private AADClientRegistrationRepository repo;
private ClientRegistrationRepository repo;
@Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
@Autowired
Expand Down Expand Up @@ -66,8 +67,11 @@ protected LogoutSuccessHandler oidcLogoutSuccessHandler() {

protected OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
DefaultAuthorizationCodeTokenResponseClient result = new DefaultAuthorizationCodeTokenResponseClient();
result.setRequestEntityConverter(
new AADOAuth2AuthorizationCodeGrantRequestEntityConverter(repo.getAzureClientAccessTokenScopes()));
if (repo instanceof AADClientRegistrationRepository) {
result.setRequestEntityConverter(
new AADOAuth2AuthorizationCodeGrantRequestEntityConverter(
((AADClientRegistrationRepository) repo).getAzureClientAccessTokenScopes()));
}
return result;
}

Expand Down
6 changes: 6 additions & 0 deletions ...-spring-boot/src/main/java/com/azure/spring/aad/webapp/AuthorizationClientProperties.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package com.azure.spring.aad.webapp;

import com.azure.spring.aad.AADAuthorizationGrantType;
import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;

import java.util.List;

Expand Down Expand Up @@ -34,10 +35,15 @@ public List<String> getScopes() {
return scopes;
}

@Deprecated
@DeprecatedConfigurationProperty(
reason = "The AuthorizationGrantType of on-demand clients should be authorization_code.",
replacement = "Set oauth client AuthorizationGrantType to authorization_code, which means it's on-demand.")
public boolean isOnDemand() {
return onDemand;
}

@Deprecated
public void setOnDemand(boolean onDemand) {
this.onDemand = onDemand;
}
Expand Down
16 changes: 6 additions & 10 deletions ...ng-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationProperties.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,25 +491,21 @@ private void validateTenantId() {
* @throws IllegalStateException Invalid property 'azure.activedirectory.application-type'
*/
private void validateApplicationType() {
AADApplicationType inferredType = inferApplicationTypeByDependencies();
AADApplicationType inferred = inferApplicationTypeByDependencies();
if (applicationType != null) {
if (!isValidApplicationTypeConfiguration(applicationType, inferredType)) {
if (!isValidApplicationType(applicationType, inferred)) {
throw new IllegalStateException(
"Invalid property 'azure.activedirectory.application-type', the configured value is '"
+ applicationType.getValue() + "', " + "but the inferred value is '"
+ inferredType.getValue() + "'.");
+ inferred.getValue() + "'.");
}
} else {
applicationType = inferredType;
applicationType = inferred;
}
}

private boolean isValidApplicationTypeConfiguration(AADApplicationType configured, AADApplicationType inferred) {
if (configured == inferred) {
return true;
}
return inferred == AADApplicationType.RESOURCE_SERVER_WITH_OBO
&& configured == AADApplicationType.WEB_APPLICATION_AND_RESOURCE_SERVER;
private boolean isValidApplicationType(AADApplicationType configured, AADApplicationType inferred) {
return inferred == configured || inferred == AADApplicationType.RESOURCE_SERVER_WITH_OBO;
}

private void validateAuthorizationClientProperties(String registrationId,
Expand Down
Loading

0 comments on commit 002e260

Please sign in to comment.