Skip to content

Commit

Permalink
update readmes of aad starter and backend sample (#17855)
Browse files Browse the repository at this point in the history
  • Loading branch information
yiliuTo authored Nov 27, 2020
1 parent c21791e commit e68bbf1
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 31 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,6 @@ azure.activedirectory.user-group.object-id-key=id

Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).

The sample retrieves user's group membership using Azure AD graph API which requires the registered app to have `Directory.AccessAsUser.All` "Access the directory as the signed-in user" under `Delegated Permissions`. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission. You can follow the below steps:

* In the list of pages for the app, select **API permissions**
- Click the **Add a permission** button and then,
- Ensure that the **Microsoft APIs** tab is selected
- In the *Commonly used Microsoft APIs* section, click on **Microsoft Graph**
- In the **Delegated permissions** section, ensure that the right permissions are checked: **Directory.AccessAsUser.All**
- Select the **Add permissions** button
### Configure groups for sign in user

In order to try the authorization action with this sample with minimum effort, [configure the user and groups in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-create-azure-portal), configure the user with `group1`.
Expand All @@ -34,8 +26,8 @@ In order to try the authorization action with this sample with minimum effort, [

```properties
azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
azure.activedirectory.client-id=xxxxxx-your-client-id-xxxxxx
azure.activedirectory.client-secret=xxxxxx-your-client-secret-xxxxxx
spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
# It's suggested the logged in user should at least belong to one of the below groups
# If not, the logged in user will not be able to access any authorization controller rest APIs
azure.activedirectory.user-group.allowed-groups=group1, group2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,6 @@ This sample illustrates how to use `azure-spring-boot-starter-active-directory`

Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code#register-your-application-with-your-ad-tenant).

The sample retrieves user's group membership using Azure AD graph API which requires the registered app to have `Directory.AccessAsUser.All` "Access the directory as the signed-in user" under `Delegated Permissions`. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission.
You can follow the below steps:

* In the list of pages for the app, select **API permissions**
- Click the **Add a permission** button
- Ensure that the **Microsoft APIs** tab is selected
- In the *Supported legacy APIs* section, click on **Azure Active Directory Graph**
- In the **Delegated permissions** section, ensure that the right permissions are checked: **Directory.AccessAsUser.All**
- Select the **Add permissions** button

### Platform configurations

![Platform configurations](docs/image-platform-configurations.png "Platform configurations")
Expand All @@ -35,8 +25,8 @@ In order to try the authorization action with this sample with minimum effort, [
### Configure application.properties
```properties
azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
azure.activedirectory.client-id=xxxxxx-your-client-id-xxxxxx
azure.activedirectory.client-secret=xxxxxx-your-client-secret-xxxxxx
spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
# It's suggested the logged in user should at least belong to one of the below groups
# If not, the logged in user will not be able to access any authorization controller rest APIs
azure.activedirectory.user-group.allowed-groups=group1, group2
Expand Down
20 changes: 11 additions & 9 deletions sdk/spring/azure-spring-boot-starter-active-directory/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ Please refer to [azure-spring-boot-sample-active-directory-backend](https://gith
#### Configure application.properties:
```properties
azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
azure.activedirectory.client-id=xxxxxx-your-client-id-xxxxxx
azure.activedirectory.client-secret=xxxxxx-your-client-secret-xxxxxx
spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
azure.activedirectory.user-group.allowed-groups=group1, group2
```

Expand Down Expand Up @@ -184,16 +184,18 @@ The roles you want to use within your application have to be [set up in the mani
application registration](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps).

### Using The Microsoft Graph API
By default, azure-spring-boot is set up to utilize the Azure AD Graph. If you would prefer, it can be set up to utilize the Microsoft Graph instead. In order to do this, you will need to update the app registration in Azure to grant the application permissions to the Microsoft Graph API and add some properties to the application.properties file.
By default, azure-spring-boot is set up to utilize the Microsoft Graph. If you would prefer, it can be set up to utilize the Azure AD Graph instead. In order to do this, you will need to update the app registration in Azure to grant the application permissions to the Azure AD Graph API and add some properties to the application.properties file.

* **Grant permissions to the application**: After application registration succeeded, go to API permissions - Add a permission, select `Microsoft Graph`, select Delegated permissions, tick `Directory.AccessAsUser.All - Access the directory as the signed-in user` and `Use.Read - Sign in and read user profile`. Click `Add Permissions` (Note: you will need administrator privilege to grant permission). Furthermore, you can remove the API permissions to the Azure Active Directory Graph, as these will not be needed.
* **Grant permissions to the application**: After application registration succeeded, go to API permissions - Add a permission, select `Azure Active Directory Graph`, select Delegated permissions, tick `Directory.AccessAsUser.All - Access the directory as the signed-in user` and `Use.Read - Sign in and read user profile`. Click `Add Permissions` (Note: you will need administrator privilege to grant permission). Furthermore, you can remove the API permissions to the Microsoft Graph, as these will not be needed.

* **Configure your `application properties`**:
```properties
azure.activedirectory.environment=global-v2-graph
azure.activedirectory.user-group.key=@odata.type
azure.activedirectory.user-group.value=#microsoft.graph.group
azure.activedirectory.user-group.object-id-key=id
spring.security.oauth2.client.provider.azure.authorization-uri=https://login.microsoftonline.com/common/oauth2/authorize
spring.security.oauth2.client.provider.azure.token-uri=https://login.microsoftonline.com/common/oauth2/token
spring.security.oauth2.client.provider.azure.user-info-uri=https://login.microsoftonline.com/common/openid/userinfo
spring.security.oauth2.client.provider.azure.jwk-set-uri=https://login.microsoftonline.com/common/discovery/keys
#
spring.security.oauth2.client.registration.azure.scope=openid, https://graph.windows.net/user.read, {your-customized-scope}
```

If you're using [Azure China](https://docs.microsoft.com/azure/china/china-welcome), please set the environment property in the `application.properties` file to:
Expand All @@ -208,7 +210,7 @@ Please refer to [azure-spring-boot-sample-active-directory-backend-v2](https://g

By default, `azure-spring-boot-starter-active-directory` configures scopes of `openid`, `profile` and `https://graph.microsoft.com/user.read` to implement OpenID Connect protocol and access of Microsoft Graph API. For customization of scope, developers need to configure in the `application.properties`:
```yaml
azure.activedirectory.scope = openid, profile, https://graph.microsoft.com/user.read, {your-customized-scope}
spring.security.oauth2.client.registration.azure.scope = openid, profile, https://graph.microsoft.com/user.read, {your-customized-scope}
```
Note, if you don't configure the 3 mentioned permissions, this starter will add them automatically.

Expand Down

0 comments on commit e68bbf1

Please sign in to comment.