getting 401 error while trying to validate a azure token-CodePudding

Hi I'm using the Which azure-spring-boot-sample-active-directory example to use to validate access token in a Spring Boot application coming from a Vue.js application? 03-resource-server code to validate the token. But I'm getting an 401 response all the time while using Postman and no Body in response. what might be the issue? I'm stuck on this for last few days Please do help

Configuration:

@EnableWebSecurity
@Order(SecurityProperties.BASIC_AUTH_ORDER)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http.authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .oauth2ResourceServer()
            .jwt()
            .and();
}
}

Controller :

@RestController
@RequestMapping("/api")
public class HomeController {

@GetMapping("/asd")
@ResponseBody
public String home() {
    return "Hello, this is resource server 1.";
}
}

application.yml

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: https://login.microsoftonline.com/{tenant-id}/discovery/keys
          issuer-uri: https://login.microsoftonline.com/{tenant-id}/v2.0

pom.xml

<dependencies>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

CodePudding user response：

Your Java code looks pretty correct. I would start with adding extra logging to your application properties file to see if that tells you anything, eg:

logging:
  level:
    org:
      springframework:
        security: DEBUG

Next I would use a JWT viewer to see if there is a nonce field in the JWT header of the access token. If so then it will fail validation - see this recent answer of mine for more info on exposing an API scope in Azure AD.

Finally, you could try another library temporarily and it may give you a better explanation of the cause. See this jose4j code for an example of library based verification. You could paste that into a small Java console app and run it with an Azure access token.