Windows Live Single Sign-On (SSO) SpringBoot OAuth without spring-cloud-azure-starter-active-directory | Windows Live SSO

ingvard

Maksim Stepachev

Posted on May 24, 2024

Windows Live Single Sign-On (SSO) SpringBoot OAuth without spring-cloud-azure-starter-active-directory | Windows Live SSO

Hey there. This is my developer's notes about configuring Spring Boot OAuth without additional libraries.

There are so many examples of SSO configurations for Microsoft Identity providers on the internet. Unfortunately, all of them require an extra dependency like spring-cloud-azure-starter-active-directory, for example:

Spring Boot Starter for Microsoft Entra developer's guide

Add sign-in with Microsoft Entra account to a Spring web app

It surprised me because at that moment I already had several integrations via org.springframework.boot:spring-boot-starter-oauth2-client without any additional libraries.
The spring has already the well-prepared configurations for auth providers which are stored in the CommonOAuth2Provider. These providers include GOOGLE, GITHUB, FACEBOOK, OKTA. However, MICROSOFT is not included.

I used this CommonOAuth2Provider as an example and created the following configuration.

Register a new provider:

spring.security.oauth2.client.provider.microsoft.issuer-uri: https://login.microsoftonline.com/<Tenant ID>/v2.0
Enter fullscreen mode Exit fullscreen mode

Configure this provider:

spring.security.oauth2.client.registration.microsoft.clientId=<client_id>
spring.security.oauth2.client.registration.microsoft.clientSecret=<client_secret>
spring.security.oauth2.client.registration.microsoft.redirectUri= https://<your_redirect_url>/<your_path>/microsoft
spring.security.oauth2.client.registration.microsoft.scope=openid,profile,email
Enter fullscreen mode Exit fullscreen mode

To complete this configuration you need to have:

  1. Tenant ID, client_id, client_secret - that is created by this official guide.
  2. redirectUri - that is configured on the spring side by this instruction.

It works, but it only allows me to sign in as a user who already exists in my Azure tenant's AD. If I try to use my Skype account, it leads to the following error message, even though I have chosen:Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

AADSTS50020: User account 'username@google.com' from identity provider 'https://sts.windows.net/852cfa84-de9a-40a5-a885-2517e9aa919e/' does not exist in tenant 'yourdomen.org' and cannot access the application 'd390cb06-2da2-483d-a0fd-0ecbef3fb8e2'(Your application) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

I have found a few solutions to this, such as creating an application of the B2C type or switching to automatically adding external users to the active directory. This is a strange solution, but I am still interested in why some Wordpress integrations work without this problem.

I tried to find how they configure their plugins for it and as result created the following configuration for us.

The registration of the provider from scratch (don't use issuer-uri from the previous example here):

spring.security.oauth2.client.provider.microsoft.authorization_uri=https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
spring.security.oauth2.client.provider.microsoft.token_uri=https://login.microsoftonline.com/consumers/oauth2/v2.0/token
spring.security.oauth2.client.provider.microsoft.jwk_set_uri=https://login.microsoftonline.com/consumers/discovery/v2.0/keys
Enter fullscreen mode Exit fullscreen mode

Configure this provider:

spring.security.oauth2.client.registration.github.clientId=<client_id>
spring.security.oauth2.client.registration.github.clientSecret=<client_secret>
spring.security.oauth2.client.registration.github.redirectUri=https://<your_redirect_url>/<your_path>/microsoft
spring.security.oauth2.client.registration.microsoft.authorization_grant_type=authorization_code
spring.security.oauth2.client.registration.microsoft.scope=openid,profile,email
Enter fullscreen mode Exit fullscreen mode

This set of configurations helps me sign in with my personal account without additional configuration of the active directory.

I hope this developer's note will be useful to someone and save you time searching.

💖 💪 🙅 🚩
ingvard
Maksim Stepachev

Posted on May 24, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related