访问Vaadin 23&#x2B中的Microsoft Graph API弹簧安全+ Azure AD
我正在开发一个企业Vaadin应用程序,我想知道是否有人弄清楚了如何获得JWT令牌,以(从后端)向Graplapi提出请求以获取其他用户详细信息。
我的安全配置看起来像这样。我通过这种配置实现的是SSO体验。只需输入网站,用户就会重定向到MS身份验证门户,并在经过身份验证时重新定向。
@Configuration
public class SecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {
private final OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
public SecurityConfiguration(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) {
this.oidcUserService = oidcUserService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.oauth2Login().userInfoEndpoint().oidcUserService(oidcUserService);
}
}
在应用程序
azure.activedirectory.tenant-id=my_tenant_id
azure.activedirectory.client-id=my_client_id
azure.activedirectory.client-secret=my_secret_key
azure.activedirectory.redirect-uri-template=http://localhost:8080/login/oauth2/code/
上
<dependencyManagement>
...
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencyManagement>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
...
。 Spring-Boot-starter-for-As-Active-Dilectory-developer-guide#access-Resource-Servers-from-a-a-web-application“ rel =“ nofollow noreferrer”>有记录良好我应该如何能够能够取回令牌并打电话。
@GetMapping("/graph")
@ResponseBody
public String graph(
@RegisteredOAuth2AuthorizedClient("graph") OAuth2AuthorizedClient graphClient
) {
// toJsonString() is just a demo.
// oAuth2AuthorizedClient contains access_token. We can use this access_token to access the resource server.
return toJsonString(graphClient);
}
另外,在此应用程序的AAD上,我设置了API角色user.read和calendars.readwrite允许访问Graph API。
问题:
- 我缺少应用程序上的内容。
- 我不知道我需要
@Autowire从vaadin范围中的用户特定上下文访问令牌。
备注:
- 我正在使用“正常”身份验证,并且该应用程序适用于拥有O365帐户的同一公司。它不是多租户或B2C。
I'm developing an enterprise Vaadin application and I'd like to know if anyone has figured out how I can obtain the JWT token to make (from backend) a request to GraphAPI to fetch additional user details.
My Security Configuration looks like this. What I achieve with this configuration is a SSO experience. Just entering the site, the user is redirected to MS Authentication portal and redirected back when authenticated.
@Configuration
public class SecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {
private final OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
public SecurityConfiguration(OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) {
this.oidcUserService = oidcUserService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.oauth2Login().userInfoEndpoint().oidcUserService(oidcUserService);
}
}
On application.properties I have the following settings:
azure.activedirectory.tenant-id=my_tenant_id
azure.activedirectory.client-id=my_client_id
azure.activedirectory.client-secret=my_secret_key
azure.activedirectory.redirect-uri-template=http://localhost:8080/login/oauth2/code/
and on pom.xml
<dependencyManagement>
...
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencyManagement>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-active-directory</artifactId>
</dependency>
...
From a Rest Endpoint, it's well documented how I should be able to retrieve the token and make a call.
@GetMapping("/graph")
@ResponseBody
public String graph(
@RegisteredOAuth2AuthorizedClient("graph") OAuth2AuthorizedClient graphClient
) {
// toJsonString() is just a demo.
// oAuth2AuthorizedClient contains access_token. We can use this access_token to access the resource server.
return toJsonString(graphClient);
}
Also, on AAD for this application I've setup the API roles User.Read and Calendars.ReadWrite that allows accessing graph API.
Questions:
- I'm missing something on the application.properties to configure the permissions.
- I have no idea of what bean I need to
@Autowireto access the token from the user-specific context in Vaadin scope.
Remarks:
- I'm using 'normal' authentication and the application is for the same company that has the O365 account. It's not multi-tenant or B2C.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果登录名完全由 MS身份验证门户?。
我认为您可以在您身上添加更多过滤 websecurityconfiguration 类,允许使用其他IP登录
...
Need some more clarification about the login, if the login is completely handled by the MS Authentication portal ?.
I think you can add some more filtration on you WebSecurityConfiguration class to permit login with other IP
...