Windows Live Single Sign-On (SSO) SpringBoot OAuth without spring-cloud-azure-starter-active-directory | Windows Live SSO
Maksim Stepachev
Posted on May 24, 2024
Hey there. This is my developer's notes about configuring Spring Boot OAuth without additional libraries.
There are so many examples of SSO configurations for Microsoft Identity providers on the internet. Unfortunately, all of them require an extra dependency like spring-cloud-azure-starter-active-directory
, for example:
Spring Boot Starter for Microsoft Entra developer's guide
Add sign-in with Microsoft Entra account to a Spring web app
It surprised me because at that moment I already had several integrations via org.springframework.boot:spring-boot-starter-oauth2-client
without any additional libraries.
The spring has already the well-prepared configurations for auth providers which are stored in the CommonOAuth2Provider
. These providers include GOOGLE
, GITHUB
, FACEBOOK
, OKTA
. However, MICROSOFT
is not included.
I used this CommonOAuth2Provider
as an example and created the following configuration.
Register a new provider:
spring.security.oauth2.client.provider.microsoft.issuer-uri: https://login.microsoftonline.com/<Tenant ID>/v2.0
Configure this provider:
spring.security.oauth2.client.registration.microsoft.clientId=<client_id>
spring.security.oauth2.client.registration.microsoft.clientSecret=<client_secret>
spring.security.oauth2.client.registration.microsoft.redirectUri= https://<your_redirect_url>/<your_path>/microsoft
spring.security.oauth2.client.registration.microsoft.scope=openid,profile,email
To complete this configuration you need to have:
-
Tenant ID
,client_id
,client_secret
- that is created by this official guide. -
redirectUri
- that is configured on the spring side by this instruction.
It works, but it only allows me to sign in as a user who already exists in my Azure tenant's AD. If I try to use my Skype account, it leads to the following error message, even though I have chosen:Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
.
AADSTS50020: User account 'username@google.com' from identity provider 'https://sts.windows.net/852cfa84-de9a-40a5-a885-2517e9aa919e/' does not exist in tenant 'yourdomen.org' and cannot access the application 'd390cb06-2da2-483d-a0fd-0ecbef3fb8e2'(Your application) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have found a few solutions to this, such as creating an application of the B2C type or switching to automatically adding external users to the active directory. This is a strange solution, but I am still interested in why some Wordpress integrations work without this problem.
I tried to find how they configure their plugins for it and as result created the following configuration for us.
The registration of the provider from scratch (don't use issuer-uri
from the previous example here):
spring.security.oauth2.client.provider.microsoft.authorization_uri=https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
spring.security.oauth2.client.provider.microsoft.token_uri=https://login.microsoftonline.com/consumers/oauth2/v2.0/token
spring.security.oauth2.client.provider.microsoft.jwk_set_uri=https://login.microsoftonline.com/consumers/discovery/v2.0/keys
Configure this provider:
spring.security.oauth2.client.registration.github.clientId=<client_id>
spring.security.oauth2.client.registration.github.clientSecret=<client_secret>
spring.security.oauth2.client.registration.github.redirectUri=https://<your_redirect_url>/<your_path>/microsoft
spring.security.oauth2.client.registration.microsoft.authorization_grant_type=authorization_code
spring.security.oauth2.client.registration.microsoft.scope=openid,profile,email
This set of configurations helps me sign in with my personal account without additional configuration of the active directory.
I hope this developer's note will be useful to someone and save you time searching.
Posted on May 24, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.