Use Entra ID as Identity Provider for Client Credentials flow
I have registered an App on my Entra ID (just created as an empty placeholder, NOT connected with an azure resource like an app service; only audience: Microsoft.Graph) and I successfully retrieved a token using postman.
I have a spring boot application, running locally on my pc, that expose an API; as a test, I'm trying to "protect" programmatically this API using the jwt token from Entra:
My auth config
My .properties
I'm quite sure that the spring boot code is corretct (I've tested with a token from another Identity Provider and everything works as espected).
But when i try to use a token from Entra (valid token; jwt.io converted succesfully) I get an error like "Invalid Signature". Checking the log, I can see that the spring boot app is actually retrieving a list of certificates, so I'm assuming that the issuer-uri is correct (in any case, I take it from the converted token from jwt.io).
I do not understand the problem, any suggestion on what I'm missing? (is the audience Graph a problem?) Thanks a lot
ANOTHER TEST
I also try to validate the token programmatically (just to see if the token was malformed, invalid etc.):
For the key I'm using the modulus, exponent and encryption (RSA) retrieve from jwt.io, but still the code gave me an error of invalid token (trying the same thing with the token from the other Identity provider works fine).
Note that: The access token with aud as Microsoft Graph is not meant to be validated.
- As Microsoft Graph API is not meant for your app.
- It uses a different approach for signing, so you can't validate Graph API tokens with the same methods.
- Hence you can make use of Microsoft Graph API access token directly without validating it to call the API.
When I tried to validate the Microsoft Graph API token, I got the same error:
I generated access token with scope as https://graph.microsoft.com/.default
Hence pass the token directly without validating it and call the Microsoft Graph API.
If you want to validate the API, then add scope:
And add API permissions like below:
Generated the access token by using scope as api://ClientID/.default:
Signature verified successfully
Reference:
spring security - Verify Signature with Azure AD - Stack Overflow by junnas
- Only displays one endpoint when multiple endpoints of the same type are present with different Accept header values
- Openapi generator does not generate @XmlAttribute/@XmlElement annotations
- Cors Error when calling microservice from Vue frontend application
- Headless OAuth2 Token Refresh Fails with Spring boot and MSAL4J
- Handling optional parameters for @GetMapping("") in Spring fails RestAssured tests
- Springboot Keycloak Admin add role or reset password error
- Column name as a parameter to Spring Data JPA Query
- Setting Precedence of Multiple @ControllerAdvice @ExceptionHandlers
- OpenAPI, SpringBoot 3.x not everything uses Jakarta instead of Javax
- Build Failure: @Data Annotation won't regonize by Maven
- Tracing in RabbitListener - observationEnabled
- Upgrading to Spring Boot 3/ JDK 17/ Spring 6 - JAXB conflict issue IllegalAnnotationsException
- ClassNotFoundException: org.apache.log4j.Priority when using Filenet APIs
- How to handle long startup times in Azure App Service deployment
- Invalid value type for attribute 'factoryBeanObjectType': java.lang.String in Spring v6.1
- How to log the active configuration in a Spring Boot application?
- r2dbc with graalvm SPRING_R2DBC_URL not recognised
- Dynamically set DEBUG or INFO logging level per request based on request header in reactive Spring Boot with Log4j2
- H2-Database console not opening with Spring-Security
- H2-Console is not showing in browser
- Spring Boot - Web vs Webflux for RESTAPI
- could not inject application context in Spring Boot Unit test running with @ExtendWith(SpringExtension.class)
- Object became null in @CachePut annotation
- How can I combine @DataJpaTest @SpringBootTest in one MVC application for testing every layer?
- Spring Boot Artemis Server connect Web Console
- How to retry in the new HTTP interface in Spring 6 and Spring Boot 3
- Why is a Flux<String> being collapsed into a single String when returned via ServerResponse, unless each String element is terminated with "\n"?
- Can't run maven install
- Spring-Boot Maven, missing dependency @RestController
- How to apply Tailwind CSS style to a JTE template using Java Spring Boot?