javaspring-bootazure-active-directoryazure-ad-b2c

Microsoft: Unable to resolve Configuration with the provided Issuer


I am trying to implement azure ad b2c security for the first time in my application, but facing this issue. Please help me.

Application.properties

spring.application.name=Azure B2C SSO Sample

logging.level.org.springframework.security=trace
logging.level.org.springframework.web=trace

spring.security.oauth2.client.registration.azure.client-id=d9353b2a-a3c1-49c2-9252-77fxxxxxx
spring.security.oauth2.client.registration.azure.client-secret=Idv8Q~BL1GRyirEaO-AXDaSQgFxxxxxx

spring.security.oauth2.client.registration.azure.redirect-uri=http://localhost:8080/login/oauth2/code/azure
spring.security.oauth2.client.registration.azure.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.azure.client-authentication-method=post
spring.security.oauth2.client.provider.azure.issuer-uri=https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin

SecurityConfig.java

package config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated() // Secure all requests
            )
            .oauth2Login(oauth2 -> oauth2 // Configure OAuth2 Login
                .authorizationEndpoint(authorization -> 
                    authorization.baseUri("/oauth2/authorize")) // Customize the authorization endpoint
                .redirectionEndpoint(redirection -> 
                    redirection.baseUri("/login/oauth2/code/*")) // Customize the redirection endpoint
            )
            .logout(logout -> 
                logout.logoutSuccessUrl("/").permitAll() // Redirect to home on logout
            );

        return http.build(); // Return the built HttpSecurity
    }
}

I am getting this error

Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin"
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:231) ~[spring-security-oauth2-client-6.3.3.jar:6.3.3]
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:152) ~[spring-security-oauth2-client-6.3.3.jar:6.3.3]
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesMapper.java:97) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.getClientRegistration(OAuth2ClientPropertiesMapper.java:71) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.lambda$asClientRegistrations$0(OAuth2ClientPropertiesMapper.java:65) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
    at java.base/java.util.HashMap.forEach(HashMap.java:1429) ~[na:na]
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.asClientRegistrations(OAuth2ClientPropertiesMapper.java:64) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration.clientRegistrationRepository(OAuth2ClientRegistrationRepositoryConfiguration.java:49) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[na:na]
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:146) ~[spring-beans-6.1.13.jar:6.1.13]
    ... 73 common frames omitted

I have already checked the issuer uri , directly running on my browser and it is returning json response back.

I have verified client id, secret, issuer uri, and redirect uri. Pls Help me.


Solution

  • The issuer-uri should be set with the Issuer Identifier, not with the discovery endpoint URI

    According to the OIDC discovery spec, configuration URI is obtained by adding /.well-known/openid-configuration to the Issuer Identifier (the value of the issuer property in the OpenID configuration and iss claim in tokens).

    In your case, the issuer-uri should be https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/, as stated in the issuer value of your "OpenID configuration", and the discovery endpoint URI should be https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration

    By default, Microsoft authorization servers are not OIDC Providers

    Because of the p request parameter in your discovery URI, Spring Security gets nothing when trying to fetch OpenID config at the standard URI it builds by appending /.well-known/openid-configuration to the issuer-uri: https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration, as instructed by the OIDC discovery spec, but as your discovery endpoint URI is https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin, it finds nothing and throws the exception you report.

    To force the compliance with OIDC discovery and OpenID tokens specifications of Microsoft Entra ID instances, we should set api.requestedAccessTokenVersion: 2 in the application registration "Manifest" under Applications -> App registrations -> {appName} -> Manifest -> Microsoft Graph App Manifest (New). Maybe this works with the older AAD B2C instances too... This property was formerly named accessTokenAcceptedVersion, and the "Manfiest" is sometimes referred to as "metadata file".

    Solution

    Set the spring.security.oauth2.client.provider.{provider-id}.issuer-uri property with the Issuer Identifier, not with the discovery URI, and do it only when configuring an actual OIDC Provider (the api.requestedAccessTokenVersion or accessTokenAcceptedVersion property is set to 2 in the manifest). Otherwise, leave it empty and set manually each of the other URI properties for providers, using the values from your OpenID configuration for the jwk-set, token and authorization endpoints.

    Another option is to use an authorization server correctly implementing the OIDC standard by default instead or in front of your Microsoft authorization server: Keycloak, Auth0, Amazon Cognito, etc.