Hi I'm using the Which azure-spring-boot-sample-active-directory example to use to validate access token in a Spring Boot application coming from a Vue.js application? 03-resource-server code to validate the token. But I'm getting an 401 response all the time while using Postman and no Body in response. what might be the issue? I'm stuck on this for last few days Please do help
Configuration:
@EnableWebSecurity
@Order(SecurityProperties.BASIC_AUTH_ORDER)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.and();
}
}
Controller :
@RestController
@RequestMapping("/api")
public class HomeController {
@GetMapping("/asd")
@ResponseBody
public String home() {
return "Hello, this is resource server 1.";
}
}
application.yml
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: https://login.microsoftonline.com/{tenant-id}/discovery/keys
issuer-uri: https://login.microsoftonline.com/{tenant-id}/v2.0
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
CodePudding user response:
Your Java code looks pretty correct. I would start with adding extra logging to your application properties file to see if that tells you anything, eg:
logging:
level:
org:
springframework:
security: DEBUG
Next I would use a JWT viewer to see if there is a nonce
field in the JWT header of the access token. If so then it will fail validation - see this recent answer of mine for more info on exposing an API scope
in Azure AD.
Finally, you could try another library temporarily and it may give you a better explanation of the cause. See this jose4j code for an example of library based verification. You could paste that into a small Java console app and run it with an Azure access token.