如何从 Spring 检索 azure AD JWT 访问令牌？

Question

我试图通过查询 /token 端点从另一个应用程序的 Spring Boot 应用程序中检索 azure JWT 访问令牌，但我收到的令牌似乎不正确。

该项目有一个 Spring Boot 后端和一个 Eclipse rcp 前端。我正在尝试从 Eclipse 前端检索访问令牌。为此，我有以下控制器：

    @Autowired
    private OAuth2AuthorizedClientService authorizedClientService;

    @GetMapping("/token")
    public String user(OAuth2AuthenticationToken authentication) {

        OAuth2AuthorizedClient authorizedClient = this.authorizedClientService
                        .loadAuthorizedClient(authentication.getAuthorizedClientRegistrationId(), authentication.getName());
        return authorizedClient.getAccessToken().getTokenValue();
    }

它返回具有以下格式的令牌：

PAQABAAAAAABeAFzDwllzTYGDLh_qYbH8hgtbYMB8x7YLamQyQPk_MEXyd9Ckc5epDFQMv3RxjmMie0JDr5uN82U4RFLgU3fnDBxGolo4XVwzLEsTZDmUK_r0YG6ZwLbbQI_ch_Xn8xCxhsFq-AoRbEESDqK3GmK4eXwCYoT0G8_XfZjHTvCNTOMqUb2Q-CD2EalIKf0zSZ5184qrvlXfdNeT_BJdH_tqaodn80Bp2UL2hdnOCDZuWRqKl_2fi4v-eOOKJCcjOqY6SreVEeoKkIvVdayGE8F6qCxFehmlA0sX9sVW34FIVYVo4lDRsTkm-WN2KJwxJmalNcxg0k2ObDnIeC1ulPPpiPq-O_LK9bVA4HEZ63cJi9ZwQHwLPUhOO6TquoCOroHSy5KPoFkX3N796hM1i0NpaaY4MeAx17CSYeZ9P06jvYD7UMTV3OwWt-OVrDm5z_AvbOvyHRf9wjh31H6oLoc-iu_NCspT6NzC2UZQSHBtKdydEcP6sNkRp073jrZEg8UtcVT6HzddIBk2P0tVeIiSyU3SfLETbzJE67xtJVip3ai9aLN28c0qt3rDBaVGDAXjXhqrh5D3NiXdQjS6YTAKy0bVmNk9Yr9o2CGBA2wFjE8OZ6_Hb3k8_13KMJHafx0gAA

来自 pom.xml 的依赖项

使用 spring boot 构建，具有以下相关依赖项：

• spring-boot-starter-webv2.2.4
• azure-active-directory-spring-boot-starterv2.2.1
• spring-security-oauth2-clientv5.2.1
• spring-security-oauth2-josev5.2.1
• spring-security-oauth2-resource-serverv5.2.1

来自 application.yml 的配置

我们支持多个授权服务器，这是完全配置的azure客户端：

spring:
  security:
    oauth2:
      client:
        azure:
          client-id: XXX
          client-secret: XXX
          client-name: Microsoft
          scope: openid, https://graph.microsoft.com/user.read, profile
          authorization-grant-type: authorization_code
          redirect-uri: http://localhost:8080/login/oauth2/code/azure
          client-authentication-method: basic
          authentication-method: post
      provider:
        authorization-uri: https://login.microsoftonline.com/XXX/oauth2/authorize
        token-uri: https://login.microsoftonline.com/XXX/oauth2/token
        user-info-uri: https://login.microsoftonline.com/XXX/openid/userinfo
        jwt-set-uri: https://login.microsoftonline.com/dXXX/discovery/keys

azure:
   activedirectory:
      tenant-id: XXX
      active-directory-groups: XXX
      allow-telemetry: false

websecurityconfig.java

@Configuration
@EnableConfigurationProperties
@EnableWebSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                    [...]
                    .anyRequest().authenticated();

        http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)

        http.oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService)
                .and()
                .authorizationEndpoint();
    }

    [...]
}

Answer 1

这就是我最终从 Azure 获取 open id 令牌的方式

@GetMapping("/token")
public String user(OAuth2AuthenticationToken authentication) {
    DefaultOidcUser user = (DefaultOidcUser) authentication.getPrincipal();
    return user.getIdToken().getTokenValue();
}