If you are hosting the rest API, the best practice is to maintain your own Authorization server which can return tokens for the other applications. Those app can then use these tokens to call your APIs. For ex: All Google APIs are secured using tokens generated by Google IdP, similarly a Facebook API is secured using the tokens generated using Facebook IdP. If you still want to use the apps authorization server, you can still do that by validating the tokens against apps authorization server

Sure. Thank you for the feedback.

No, these steps will work only for OIDC. For SAML, different libraries are used and I am still looking into that.

@@securityinaction1018 i'm trying to intercept the requestResponse from the idp to sp but the object is always null

I have not tried customizing that behavior. Which request's response are you trying to intercept?

I think SpringBoot will take care of refreshing the access token automatically. You can set the offline_access scope in application.yml file and give it a try. Please subscribe and support this channel. Thanks in advance.

@@securityinaction1018Thanks for the prompt response. I already tried scope=openid%20email%20profile%20offline_access. But after the token expires after one hour, it again redirects to authorize endpoint to get the code. whereas I want it to get the new access token from refresh token subsequently.

Ok, this documentation docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#_refreshing_an_access_token has some details. But, it is not very clear. When I get a chance, I will do some research on this topic and post a video.

Thank you!! I was planning to post a video on that and it is still pending from my side. I will post and let you know. Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 thank you for your quick reply, when we can expect the video, I need to implement it in my spring boot 3 app. Thanks in advance.

I will try my best to post it in near future.

In order to bypass a specific endpoint, you can create the OAuth2LoginSecurityConfig class as mentioned here docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-provide-securityfilterchain-bean. For ex: if you want to bypass /user endpoint http .authorizeHttpRequests(authorize -> authorize .requestMatchers("/user").permitAll() .anyRequest().authenticated() ) .oauth2Login(withDefaults()); Please subscribe, like & share to support this channel. Thanks in advance.

Yes. If you have your own login page, you can add a button to sign-in with AzureAD

I will check and upload the code in Git if it is still available. Meanwhile, if you face any issues in setting up the workspace and code from scratch, please post your questions here. Please like, subscribe & share!! Thanks in advance.

I have a query, In Azure ad we are able to get the access_token from OAouth2AuthorizedClient object in my spring boot application, if the user is using my application continuously in that case we have to increase the access token time limit accordingly right, so how to implement this could you please provide info 🙂

I know we can get new token using refresh_token but I want to get a new token without refresh token

Is there any reason why you don't want to refresh the tokens? The best practice is to refresh the token periodically. I don't know if AzureAd has an option to increase the timeout for Access token. I know Cognito has that option.

Sorry, actually in the msal4j library, the acquire token silently method is there, that's why I asked you , but just now I realised that we can refresh access token using refresh token. Could you please provide reference how to implement this in spring cloud gateway ?

I have not done any POC. But, you can try this option docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-register-clientregistrationrepository-bean Instead of configuring the OAuth2 client in application.yml, you can dynamically register.

I uploaded the sample code to github.com/secinaction101/springbootaad/tree/main/demo

Can you elaborate the question? What is dynamic user ID?

You can customize the login page as per Spring docs. I have not tried that.

Yes, if your Java web app uses SpringBoot framework. If not, I am sure there should be some library to integrate using OIDC.

@@securityinaction1018 my project is based on simple Java and jsp. It uses servlets and struts. I don't know how to use azure ad to implement SSO if you can help me with this it would be great

With simple JSP / Servlets, you have to write all the logic to redirect, call token endpoints. You can take a look at this sample github.com/auth0-samples/auth0-servlet-sample from Auth0. But, it is just a reference code. You need to modify it accordingly for AzureAD integration.

@@securityinaction1018 thanks for your reply ! I have an enterprise application. And I'm trying to use spring boot for the authentication part. And this project don't have any pom and dependencies so I'm adding jars for each changes. 1.Now I have created one application.java class which contains main method. 2.And I have created login controller class for user authentication. 3.i have created application.initializer class . 4. In application.properties class I have added azure ad redirecting codes(tenant I'd, clients secret keys. Etc.) But it is not working and redirecting I don't know what to do..🥲. And the deadline is near for me to complete this task. -can u suggest me something for the same

It's very difficult to build apps without pom. In any case, as long as all the dependent jars are available in the classpath, you should be able to build the app using the instructions in my video.

Sign out depends on the requirements. If you want only the app session to be killed, I am sure SpringBoot offers out of the box solution to do that. If the IdP session also needs to be killed, it depends on what options IdP offers.

How to logout Azure ad SSO session ? Not clearing browser cookies.

I have not tried this with Spring MVC. I see some stackoverflow solutions which might work.

Can you share those solutions also I need a example in legacy spring application. Not boot!@@securityinaction1018