I am trying to implement azure ad b2c security for the first time in my application, but facing this issue. Please help me.
Application.properties
spring.application.name=Azure B2C SSO Sample
logging.level.org.springframework.security=trace
logging.level.org.springframework.web=trace
spring.security.oauth2.client.registration.azure.client-id=d9353b2a-a3c1-49c2-9252-77fxxxxxx
spring.security.oauth2.client.registration.azure.client-secret=Idv8Q~BL1GRyirEaO-AXDaSQgFxxxxxx
spring.security.oauth2.client.registration.azure.redirect-uri=http://localhost:8080/login/oauth2/code/azure
spring.security.oauth2.client.registration.azure.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.azure.client-authentication-method=post
spring.security.oauth2.client.provider.azure.issuer-uri=https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin
SecurityConfig.java
package config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated() // Secure all requests
)
.oauth2Login(oauth2 -> oauth2 // Configure OAuth2 Login
.authorizationEndpoint(authorization ->
authorization.baseUri("/oauth2/authorize")) // Customize the authorization endpoint
.redirectionEndpoint(redirection ->
redirection.baseUri("/login/oauth2/code/*")) // Customize the redirection endpoint
)
.logout(logout ->
logout.logoutSuccessUrl("/").permitAll() // Redirect to home on logout
);
return http.build(); // Return the built HttpSecurity
}
}
I am getting this error
Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin"
at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:231) ~[spring-security-oauth2-client-6.3.3.jar:6.3.3]
at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:152) ~[spring-security-oauth2-client-6.3.3.jar:6.3.3]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesMapper.java:97) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.getClientRegistration(OAuth2ClientPropertiesMapper.java:71) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.lambda$asClientRegistrations$0(OAuth2ClientPropertiesMapper.java:65) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
at java.base/java.util.HashMap.forEach(HashMap.java:1429) ~[na:na]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.asClientRegistrations(OAuth2ClientPropertiesMapper.java:64) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration.clientRegistrationRepository(OAuth2ClientRegistrationRepositoryConfiguration.java:49) ~[spring-boot-autoconfigure-3.3.4.jar:3.3.4]
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[na:na]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:146) ~[spring-beans-6.1.13.jar:6.1.13]
... 73 common frames omitted
I have already checked the issuer uri , directly running on my browser and it is returning json response back.
I have verified client id, secret, issuer uri, and redirect uri. Pls Help me.
issuer-uri
should be set with the Issuer Identifier, not with the discovery endpoint URIAccording to the OIDC discovery spec, configuration URI is obtained by adding /.well-known/openid-configuration
to the Issuer Identifier (the value of the issuer
property in the OpenID configuration and iss
claim in tokens).
In your case, the issuer-uri
should be https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/
, as stated in the issuer
value of your "OpenID configuration", and the discovery endpoint URI should be https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration
Because of the p
request parameter in your discovery URI, Spring Security gets nothing when trying to fetch OpenID config at the standard URI it builds by appending /.well-known/openid-configuration
to the issuer-uri
: https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration, as instructed by the OIDC discovery spec, but as your discovery endpoint URI is https://learningakash.b2clogin.com/learningakash.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signupsignin, it finds nothing and throws the exception you report.
To force the compliance with OIDC discovery and OpenID tokens specifications of Microsoft Entra ID instances, we should set api.requestedAccessTokenVersion: 2
in the application registration "Manifest" under Applications
-> App registrations
-> {appName}
-> Manifest
-> Microsoft Graph App Manifest (New)
. Maybe this works with the older AAD B2C instances too... This property was formerly named accessTokenAcceptedVersion
, and the "Manfiest" is sometimes referred to as "metadata file".
Set the spring.security.oauth2.client.provider.{provider-id}.issuer-uri
property with the Issuer Identifier, not with the discovery URI, and do it only when configuring an actual OIDC Provider (the api.requestedAccessTokenVersion
or accessTokenAcceptedVersion
property is set to 2
in the manifest). Otherwise, leave it empty and set manually each of the other URI properties for providers, using the values from your OpenID configuration for the jwk-set, token and authorization endpoints.
Another option is to use an authorization server correctly implementing the OIDC standard by default instead or in front of your Microsoft authorization server: Keycloak, Auth0, Amazon Cognito, etc.