Spring Security, Powered by MSAL Part 1 (Client Auth)

In this Three-Part Series, We will discuss 3 different modes of integrating Microsoft Authentication Library (MSAL) into your Spring boot Application.

1. Client Auth.
2. Resource Server.
3. Client Auth + Resource Server.

Introduction

Spring Security

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

Microsoft Authentication Library

The Microsoft Authentication Library (MSAL) enables developers to acquire tokens from the Microsoft identity platform in order to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.

Use Case

Let’s say your organization has an Azure Active Directory that contains all the users you would like to have access to your application, you can use MSAL to achieve the desired Authentication or Authorization needs.

In this article, we will look into the most common use case; The Client Auth mode.

1. Regular Client Auth
   In this mode, the user will have access to your application if and only if they are in your Azure Active Directory.
   User Roles can also be achieved by adding the user into different Azure Active Directory Groups (Security). These groups can be then be passed alone as Roles to the Spring Security Context.
2. Restricted Client Auth
   In this Case, the user needs to be both present in the Azure Active Directory and also be added as a member of the App Registration for them to be granted Access.

Code Implementation

Dependencies

<properties>
    <java.version>11</java.version>
    <azure.version>3.11.0</azure.version>
</properties>
<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>com.azure.spring</groupId>
        <artifactId>azure-spring-boot-starter-active-directory</artifactId>
        <version>${azure.version}</version>
    </dependency>
    <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>31.0.1-jre</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

application.yml

azure:
  activedirectory:
    tenant-id: ${AZURE_TENANT_ID}
    client-id: ${AZURE_CLIENT_ID}
    client-secret: ${AZURE_CLIENT_SECRET}
    post-logout-redirect-uri: http://localhost:8080
    authorization-clients:
      azure:
        scopes: https://graph.microsoft.com/User.Read
    user-group:
      allowed-group-names: group_name_1, group_name_2

SecurityAdapter

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class OAuth2Config extends AADWebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests().anyRequest().authenticated().and().oauth2Login();
    }
}

With these changes, we have successfully secured our application with MSAL using the Client Auth Mode.

AZURE_TENANT_ID and AZURE_CLIENT_ID can be gotten from the properties of the App Registration as shown below:

And the AZURE_CLIENT_SECRET needs to be created in the Certificates & secrets section of the App Registration.

Restricted Client Auth

To control whether the user is automatically granted access to the Application, or they need to be manually assigned, Go to the Enterprise Application view of the App Registration, and then the Properties page.

Role Management

The allowed-group-names section of the application.yml specifies the possible groups to which the user can belong, and Spring Security converts them into Roles, so if the current logged in user belongs to group_name_1 , the role would be ROLE_group_name_1 . You can then, proceed to use this role in the Security Config in the SecurityAdapter.

The source code for this article can be found on Github.