Azure AD B2C extra parameters with dynamic values to authorization requests #197

veganchamp · 2024-03-15T16:03:43Z

veganchamp
Mar 15, 2024

I have successfully incorporated the servlet-client project into our application and can dynamically switch between two oauth2 oidc providers Salesforce & Keycloak. I now need to add a third; Azure AD B2C, however it doesn't seem to align with the others.

Comparing for example the authorize requests below for Salesforce and Azure, how can I customize the ClientRegistration to cater for the extra runtime parameters / tenant information that Azure needs?
For the record I am rewriting some legacy code that does this by proxying old Spring Security code which handles the clientRegistration on start-up, which gives it runtime customization, and I'm trying to avoid that.

Salesforce:

https://lv-direct--inttrn.sandbox.my.site.com/giportal/services/oauth2/authorize

response_type: code
client_id: {clientId}
scope: openid
state: JEGBCuU-QONVNAlfZ2Wi9GpJ3Erewf9iWFsQ6X5csJo=
redirect_uri: https://localhost:8444/login/oauth2/code/sf
code_challenge_method: S256
nonce: CqS7Z7dMMH3hms6H4S6MAcw9-aUHkybCJZSTbSrrzfM
code_challenge: OSeYXPb6Bq8x79AEsJlJGm3X6j5V0u802IbTAwrNato

Azure AD B2C:

https://sys-login.lvgig.co.uk/{tenantId}/oauth2/v2.0/authorize

response_type: code
client_id: {clientId}
scope: {clientId} openid
state: xL-KgZffYma3tDZA72ogiLEi-zmLaCQLReRCmSYSPQQ=
redirect_uri: https://localhost:8444/openId
code_challenge_method: S256
nonce: yfIRs5jFFRf7OGyQltiWNh4VdR-YgygLuAD1hP8KC80
code_challenge: cMehFikOVs_Lbu--DdHlK_MbCV5e_Apwm7HxYWpcVTw
p: B2C_1A_RPRetrieveQuoteQA3
x-client-SKU: spring-boot-starter
product: car
style: new
ujt: retrievequote
response_mode: form_post

Answered by ch4mpy

Mar 15, 2024

If you're using spring-addons-starter-oidc and if the values for Azure authorization endpoint proprietary parameters are static, you should be able to do this with just properties.

Provided that the cardinality of possible parameters is reasonable:

# Double-check this values against what you actually get from .well-known/openid-configuration
azure-authorization-endpoint: https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize
azure-token-endpoint: https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token
azure-jwks-endpoint: https://login.microsoftonline.com/${tenant}/discovery/v2.0/keys

azure-client-id: change-me
azure-client-secret: change-me

scheme: http
server:
  port: 8…

View full answer

ch4mpy · 2024-03-15T16:58:48Z

ch4mpy
Mar 15, 2024
Maintainer

If you're using spring-addons-starter-oidc and if the values for Azure authorization endpoint proprietary parameters are static, you should be able to do this with just properties.

Provided that the cardinality of possible parameters is reasonable:

# Double-check this values against what you actually get from .well-known/openid-configuration
azure-authorization-endpoint: https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize
azure-token-endpoint: https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token
azure-jwks-endpoint: https://login.microsoftonline.com/${tenant}/discovery/v2.0/keys

azure-client-id: change-me
azure-client-secret: change-me

scheme: http
server:
  port: 8080

spring:
  security:
    oauth2:
      client:
        provider:
          azure-ad-b2c:
            jwk-set-uri: ${azure-jwks-endpoint}
            authorization-uri: ${azure-authorization-endpoint}
            token-uri: ${azure-token-endpoint}
        registration:
          azure-retrieve-quote:
            authorization-grant-type: authorization_code
            client-id: ${azure-client-id}
            client-secret: ${azure-client-secret}
            provider: azure-ad-b2c
            scope: ${azure-client-id},openid
            redirect-uri: ${scheme}://localhost:${server.port}/login/oauth2/code/azure-retrieve-quote
          azure-save:
            authorization-grant-type: authorization_code
            client-id: ${azure-client-id}
            client-secret: ${azure-client-secret}
            provider: azure-ad-b2c
            scope: ${azure-client-id},openid
            redirect-uri: ${scheme}://localhost:${server.port}/login/oauth2/code/azure-save

com:
  c4-soft:
    springaddons:
      oidc:
        client:
          authorization-params:
            azure-retrieve-quote:
              p: B2C_1A_RPRetrieveQuoteQA3
              x-client-SKU: spring-boot-starter
              product: car
              style: new
              ujt: retrievequote
              response_mode: form_post
            azure-save:
              p: B2C_1A_RPSaveQA3
              x-client-SKU: spring-boot-starter
              product: car
              style: new
              ujt: save
              response_mode: form_post

Note that:

the registration-ids (which I named azure-retrieve-quote and azure-save in the sample above) must match exactly in spring and spring-addons properties
you can add params to the token endpoint request the same way under token-params (which is at the same level as authorization-params)

If you don't use spring-addons-starter-oidc, you'll have to provide with an OAuth2AuthorizationRequestResolver of your own (implement all of it, so don't forget about PKCE if using it), and configure the Security(Web)FilterChain with it.

If you use spring-addons-starter-oidc but some parameters are "dynamic" or the cardinality of possible parameters combinations too high, then you'll have to provide with your own OAuth2AuthorizationRequestResolver too, but with the notable difference that:

you can extend or proxy SpringAddonsOAuth2AuthorizationRequestResolver to configure the static parameters in properties (and have PKCE handled for you)
exposing your impl as a bean will be enough: spring-addons will use your bean (instead of instantiating a SpringAddonsOAuth2AuthorizationRequestResolver) and configure the security filter-chain for you.

This would look something like that:

@Component
public class MyOAuth2AuthorizationRequestResolver extends SpringAddonsOAuth2AuthorizationRequestResolver {

	public MyOAuth2AuthorizationRequestResolver(
			OAuth2ClientProperties bootClientProperties,
			ClientRegistrationRepository clientRegistrationRepository,
			SpringAddonsOidcClientProperties addonsClientProperties) {
		super(bootClientProperties, clientRegistrationRepository, addonsClientProperties);
	}

	@Override
	protected Consumer<Builder> getOAuth2AuthorizationRequestCustomizer(HttpServletRequest request, String clientRegistrationId) {
		return new CompositeOAuth2AuthorizationRequestCustomizer(
				getCompositeOAuth2AuthorizationRequestCustomizer(clientRegistrationId),
				new MyDynamicCustomizer(request));
	}

	static class MyDynamicCustomizer implements Consumer<OAuth2AuthorizationRequest.Builder> {
		private final HttpServletRequest request;

		public MyDynamicCustomizer(HttpServletRequest request) {
			this.request = request;
		}

		@Override
		public void accept(OAuth2AuthorizationRequest.Builder authorizationRequest) {
			authorizationRequest.additionalParameters(params -> {
				// TODO: add the parameters which depend on the request
			});
		}
	}
}

10 replies

veganchamp Apr 2, 2024
Author

Here's the current config:

### IDP: Azure AD B2C ###
b2c-host=https://sys-login.lvgig.co.uk
b2c-tenant=***
b2c-client-id=***
b2c-client-secret=***
b2c-authorization-endpoint=${b2c-host}/${b2c-tenant}/oauth2/v2.0/authorize
b2c-token-endpoint=${b2c-host}/${b2c-tenant}/oauth2/v2.0/token
b2c-jwks-endpoint=${b2c-host}/${b2c-tenant}/discovery/v2.0/keys

spring.security.oauth2.client.provider.b2c.jwk-set-uri=${b2c-jwks-endpoint}
spring.security.oauth2.client.provider.b2c.authorization-uri=${b2c-authorization-endpoint}
spring.security.oauth2.client.provider.b2c.token-uri=${b2c-token-endpoint}

spring.security.oauth2.client.registration.b2c-retrieve.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.b2c-retrieve.client-id=${b2c-client-id}
spring.security.oauth2.client.registration.b2c-retrieve.client-secret=${b2c-client-secret}
spring.security.oauth2.client.registration.b2c-retrieve.provider=b2c
spring.security.oauth2.client.registration.b2c-retrieve.scope=${b2c-client-id},openid
spring.security.oauth2.client.registration.b2c-retrieve.redirect-uri={baseUrl}/login/oauth2/code/b2c-retrieve

spring.security.oauth2.client.registration.b2c-save.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.b2c-save.client-id=${b2c-client-id}
spring.security.oauth2.client.registration.b2c-save.client-secret=${b2c-client-secret}
spring.security.oauth2.client.registration.b2c-save.provider=b2c
spring.security.oauth2.client.registration.b2c-save.scope=${b2c-client-id},openid
spring.security.oauth2.client.registration.b2c-save.redirect-uri={baseUrl}/login/oauth2/code/b2c-save

com.c4-soft.springaddons.oidc.client.pkce-forced=true
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-retrieve.p=B2C_1A_RPRetrieveQuoteQA3
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-retrieve.product=car
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-retrieve.style=new
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-retrieve.ujt=retrievequote
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-retrieve.response_mode=form_post

com.c4-soft.springaddons.oidc.client.authorization-params.b2c-save.p=B2C_1A_RPSaveQA3
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-save.product=car
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-save.style=new
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-save.ujt=save
com.c4-soft.springaddons.oidc.client.authorization-params.b2c-save.response_mode=form_post
### IDP: Azure AD B2C ###

Here's the code:

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class WebSecurityConfig2 {

	@Value("${je-url}")
	private String jeUrl;

	@Autowired
	private SecurityServiceBroker broker;

	@Autowired
	private SecurityService securityService;

	@Autowired
	private SessionContextService sessionContextService;

	@Autowired
	private MDCService mdcService;

	@Bean
	public RequestCache requestCache() {
		return new HttpSessionRequestCache();
	}

	@Bean
	public TrapsLoginUrlAuthenticationEntryPoint trapsLoginUrlAuthenticationEntryPoint() {
		return new TrapsLoginUrlAuthenticationEntryPoint(broker, securityService, requestCache(), jeUrl);
	}

	@Bean
	public TrapsAuthenticationSuccessHandler trapsAuthenticationSuccessHandler() {
		return new TrapsAuthenticationSuccessHandler(broker, requestCache());
	}

	@Bean
	public TrapsAuthenticationFailureHandler trapsAuthenticationFailureHandler() {
		return new TrapsAuthenticationFailureHandler(broker, sessionContextService, requestCache(), mdcService);
	}

	@Bean
	public SpringAddonsOidcProperties springAddonsOidcProperties() {
		return new SpringAddonsOidcProperties();
	}

	@Bean
	public SecurityFilterChain clientSecurityFilterChain(
			HttpSecurity http,
			OAuth2ClientProperties bootClientProperties,
			InMemoryClientRegistrationRepository clientRegistrationRepository,
			SpringAddonsOidcProperties springAddonsOidcProperties) throws Exception {

		http.csrf(AbstractHttpConfigurer::disable);
		http.oauth2Login(login -> login
				.successHandler(trapsAuthenticationSuccessHandler())
				.failureHandler(trapsAuthenticationFailureHandler())
				.authorizationEndpoint(auth -> auth
						.authorizationRequestResolver(new SpringAddonsOAuth2AuthorizationRequestResolver(bootClientProperties, clientRegistrationRepository, springAddonsOidcProperties.getClient())))
				);
		http.exceptionHandling(ex -> ex
				.authenticationEntryPoint(trapsLoginUrlAuthenticationEntryPoint()));
		http.authorizeHttpRequests(auth ->
				auth.anyRequest().permitAll());
		return http.build();
	}
}

Here's the DEBUG logs:

2024-04-02 12:43:20,573 [LAP101437::] DEBUG org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder - No authenticationProviders and no parentAuthenticationManager defined. Returning null.
2024-04-02 12:43:22,569 [LAP101437::] INFO  org.springframework.security.web.DefaultSecurityFilterChain - Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@40ff56f7, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@64648af1, org.springframework.security.web.context.SecurityContextHolderFilter@238cac6, org.springframework.security.web.header.HeaderWriterFilter@273c4b3, org.springframework.web.filter.CorsFilter@42d65ffc, org.springframework.security.web.authentication.logout.LogoutFilter@48682f91, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@4c131823, org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@3e7c66b3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@4dfe5727, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3c0becae, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4adb2b87, org.springframework.security.web.access.ExceptionTranslationFilter@50e336d9, org.springframework.security.web.access.intercept.AuthorizationFilter@226f472]
2024-04-02 12:45:06,780 [LAP101437::] DEBUG org.springframework.security.authentication.DefaultAuthenticationEventPublisher - No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException

veganchamp Apr 2, 2024
Author

I've tried adding the following config but the token request isn't picking it up:

com.c4-soft.springaddons.oidc.client.token-params.b2c-retrieve.p=B2C_1A_RPRetrieveQuoteQA3
com.c4-soft.springaddons.oidc.client.token-params.b2c-save.p=B2C_1A_RPSaveQA3

Perhaps adding extra parameters to the token request is another topic altogether where I need to configure a custom .tokenEndpoint(...) I'm still not sure however why the client-id & client-secret values aren't being added to the body of the token request.

veganchamp Apr 2, 2024
Author

I managed to get the token request to work following this guide in part: https://www.baeldung.com/spring-security-custom-oauth-requests
It was more complicated however as the above guide only showed how to add params to the POST body whereas I needed the param as as a query string. Now I'm getting a similar 404 when attempting to decode the jwt, I guess I also need the p=B2C_1A_RPRetrieveQuoteQA3 query string there too, though not much documented on customising the jwt request. Man this is a pain. I going to re-accept your original answer as I'm customizing more than just the auth request.

ch4mpy Apr 2, 2024
Maintainer

Anyhow, you are building your own SecurityFilterChain with oauth2Login. As you're not using spring-addons one, tweaking spring-addons properties won't do much...

You should disable spring-addons client configuration (remove spring-addons starter if you're not using the resource-server filter-chain or leave securit-matcher property empty.

veganchamp Apr 2, 2024
Author

Thanks for all your guidance

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Azure AD B2C extra parameters with dynamic values to authorization requests #197

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 10 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Azure AD B2C extra parameters with dynamic values to authorization requests #197

veganchamp Mar 15, 2024

Replies: 1 comment · 10 replies

ch4mpy Mar 15, 2024 Maintainer

veganchamp Apr 2, 2024 Author

veganchamp Apr 2, 2024 Author

veganchamp Apr 2, 2024 Author

ch4mpy Apr 2, 2024 Maintainer

veganchamp Apr 2, 2024 Author

veganchamp
Mar 15, 2024

Replies: 1 comment 10 replies

ch4mpy
Mar 15, 2024
Maintainer

veganchamp Apr 2, 2024
Author

veganchamp Apr 2, 2024
Author

veganchamp Apr 2, 2024
Author

ch4mpy Apr 2, 2024
Maintainer

veganchamp Apr 2, 2024
Author