Azure · chenrujun · Feb 7, 2022 · Jan 20, 2022 · Jan 20, 2022 · Jan 20, 2022
diff --git a/.../com/azure/spring/cloud/autoconfigure/aad/implementation/webapp/AADOAuth2UserService.java b/.../com/azure/spring/cloud/autoconfigure/aad/implementation/webapp/AADOAuth2UserService.java
@@ -56,7 +56,6 @@ public class AADOAuth2UserService implements OAuth2UserService<OidcUserRequest,
     private final OidcUserService oidcUserService;
     private final List<String> allowedGroupNames;
     private final Set<String> allowedGroupIds;
-    private final boolean enableFullList;
     private final GraphClient graphClient;
     private static final String DEFAULT_OIDC_USER = "defaultOidcUser";
     private static final String ROLES = "roles";
@@ -85,10 +84,6 @@ public AADOAuth2UserService(AADAuthenticationProperties properties, GraphClient
                                   .map(AADAuthenticationProperties::getUserGroup)
                                   .map(AADAuthenticationProperties.UserGroupProperties::getAllowedGroupIds)
                                   .orElseGet(Collections::emptySet);
-        enableFullList = Optional.ofNullable(properties)
-                                 .map(AADAuthenticationProperties::getUserGroup)
-                                 .map(AADAuthenticationProperties.UserGroupProperties::getEnableFullList)
-                                 .orElse(false);
         this.oidcUserService = new OidcUserService();
         this.graphClient = graphClient;
     }
@@ -191,9 +186,6 @@ Set<String> extractGroupRolesFromAccessToken(OAuth2AccessToken accessToken) {
     }
 
     private boolean isAllowedGroupId(String groupId) {
-        if (enableFullList) {
-            return true;
-        }
         if (allowedGroupIds.size() == 1 && allowedGroupIds.contains("all")) {
             return true;
         }

diff --git a/...java/com/azure/spring/cloud/autoconfigure/aad/properties/AADAuthenticationProperties.java b/...java/com/azure/spring/cloud/autoconfigure/aad/properties/AADAuthenticationProperties.java
@@ -4,12 +4,9 @@
 package com.azure.spring.cloud.autoconfigure.aad.properties;
 
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
-import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
 import org.springframework.boot.context.properties.NestedConfigurationProperty;
 import org.springframework.util.StringUtils;
 
@@ -106,19 +103,20 @@ public class AADAuthenticationProperties implements InitializingBean {
      */
     private long jwkSetCacheRefreshTime = DEFAULT_JWK_SET_CACHE_REFRESH_TIME;
 
-    private String postLogoutRedirectUri;
-
     /**
-     * If Telemetry events should be published to Azure AD.
+     * The redirect uri after logout.
      */
-    private boolean allowTelemetry = true;
+    private String postLogoutRedirectUri;
 
     /**
      * If true activates the stateless auth filter AADAppRoleStatelessAuthenticationFilter. The
      * default is false which activates AADAuthenticationFilter.
      */
     private Boolean sessionStateless = false;
 
+    /**
+     * The OAuth2 authorization clients.
+     */
     private Map<String, AuthorizationClientProperties> authorizationClients = new HashMap<>();
 
     /**
@@ -176,40 +174,26 @@ public void setApplicationType(AADApplicationType applicationType) {
         this.applicationType = applicationType;
     }
 
-    /**
-     * Gets the list of Active Directory groups.
-     *
-     * @return the list of Active Directory groups
-     */
-    @DeprecatedConfigurationProperty(
-        reason = "Configuration moved to UserGroup class to keep UserGroup properties together",
-        replacement = "spring.cloud.azure.active-directory.user-group.allowed-group-names")
-    public List<String> getActiveDirectoryGroups() {
-        return userGroup.getAllowedGroups();
-    }
-
     /**
      * Properties dedicated to changing the behavior of how the groups are mapped from the Azure AD response. Depending
      * on the graph API used the object will not be the same.
      */
     public static class UserGroupProperties {
 
-        private final Log logger = LogFactory.getLog(UserGroupProperties.class);
-
         /**
-         * Expected UserGroups that an authority will be granted to if found in the response from the MemberOf Graph
-         * API Call.
+         * The group names can be used to construct GrantedAuthority.
          */
         private List<String> allowedGroupNames = new ArrayList<>();
 
+        /**
+         * The group ids can be used to construct GrantedAuthority.
+         */
         private Set<String> allowedGroupIds = new HashSet<>();
 
-        private Boolean useTransitiveMembers = false;
-
         /**
-         * enableFullList is used to control whether to list all group id, default is false
+         * If "true", use "v1.0/me/transitiveMemberOf" to get members. Otherwise, use "v1.0/me/memberOf".
          */
-        private Boolean enableFullList = false;
+        private Boolean useTransitiveMembers = false;
 
         /**
          * Gets the set of allowed group IDs.
@@ -247,61 +231,6 @@ public void setAllowedGroupNames(List<String> allowedGroupNames) {
             this.allowedGroupNames = allowedGroupNames;
         }
 
-        /**
-         * Whether full list is enabled.
-         *
-         * @return whether full list is enabled
-         * @deprecated Use 'allowed-group-ids: all'
-         */
-        @Deprecated
-        @DeprecatedConfigurationProperty(
-            reason = "enable-full-list is not easy to understand.",
-            replacement = "allowed-group-ids: all")
-        public Boolean getEnableFullList() {
-            return enableFullList;
-        }
-
-        /**
-         * Sets whether full list is enabled.
-         *
-         * @param enableFullList whether full list is enabled
-         * @deprecated Use 'azure.activedirectory.user-group.allowed-group-ids: all'
-         */
-        @Deprecated
-        public void setEnableFullList(Boolean enableFullList) {
-            logger.warn(" 'spring.cloud.azure.active-directory.user-group.enable-full-list' property detected! "
-                + "Use 'spring.cloud.azure.active-directory.user-group.allowed-group-ids: all' instead!");
-            this.enableFullList = enableFullList;
-        }
-
-        /**
-         * Gets the list of allowed groups.
-         *
-         * @return the list of allowed groups
-         * @deprecated Use 'azure.activedirectory.user-group.allowed-group-names'
-         */
-        @Deprecated
-        @DeprecatedConfigurationProperty(
-            reason = "In order to distinguish between allowed-group-ids and allowed-group-names, set allowed-groups "
-                + "deprecated.",
-            replacement = "spring.cloud.azure.active-directory.user-group.allowed-group-names")
-        public List<String> getAllowedGroups() {
-            return allowedGroupNames;
-        }
-
-        /**
-         * Sets the list of allowed groups.
-         *
-         * @param allowedGroups the list of allowed groups
-         * @deprecated Use 'azure.activedirectory.user-group.allowed-group-names'
-         */
-        @Deprecated
-        public void setAllowedGroups(List<String> allowedGroups) {
-            logger.warn(" 'spring.cloud.azure.active-directory.user-group.allowed-groups' property detected! "
-                + " Use 'azure.activedirectory.user-group.allowed-group-names' instead!");
-            this.allowedGroupNames = allowedGroups;
-        }
-
         public Boolean getUseTransitiveMembers() {
             return useTransitiveMembers;
         }
@@ -390,17 +319,6 @@ public void setRedirectUriTemplate(String redirectUriTemplate) {
         this.redirectUriTemplate = redirectUriTemplate;
     }
 
-    /**
-     * Sets the list of Active Directory groups.
-     *
-     * @param activeDirectoryGroups the list of Active Directory groups
-     * @deprecated deprecated
-     */
-    @Deprecated
-    public void setActiveDirectoryGroups(List<String> activeDirectoryGroups) {
-        this.userGroup.setAllowedGroups(activeDirectoryGroups);
-    }
-
     /**
      * Gets the App ID URI.
      *
@@ -545,28 +463,6 @@ public void setPostLogoutRedirectUri(String postLogoutRedirectUri) {
         this.postLogoutRedirectUri = postLogoutRedirectUri;
     }
 
-    /**
-     * Whether telemetry is allowed.
-     *
-     * @return whether telemetry is allowed
-     * @deprecated Determined by HTTP header User-Agent instead
-     */
-    @Deprecated
-    @DeprecatedConfigurationProperty(
-        reason = "Deprecate the telemetry endpoint and use HTTP header User Agent instead.")
-    public boolean isAllowTelemetry() {
-        return allowTelemetry;
-    }
-
-    /**
-     * Sets whether telemetry is allowed.
-     *
-     * @param allowTelemetry whether telemetry is allowed
-     */
-    public void setAllowTelemetry(boolean allowTelemetry) {
-        this.allowTelemetry = allowTelemetry;
-    }
-
     /**
      * Whether the session is stateless.
      *
@@ -662,13 +558,13 @@ private void validateAuthorizationClients() {
     }
 
     private void validateTenantId() {
-        if (isMultiTenantsApplication(getProfile().getTenantId()) && !userGroup.getAllowedGroups().isEmpty()) {
+        if (isMultiTenantsApplication(getProfile().getTenantId()) && !userGroup.getAllowedGroupNames().isEmpty()) {
             throw new IllegalStateException("When spring.cloud.azure.active-directory.profile.tenant-id is "
                 + "'common/organizations/consumers', "
-                + "spring.cloud.azure.active-directory.user-group.allowed-groups/allowed-group-names should be empty. "
+                + "spring.cloud.azure.active-directory.user-group.allowed-group-names should be empty. "
                 + "But actually spring.cloud.azure.active-directory.profile.tenant-id=" + getProfile().getTenantId()
-                + ", and spring.cloud.azure.active-directory.user-group.allowed-groups/allowed-group-names="
-                + userGroup.getAllowedGroups());
+                + ", and spring.cloud.azure.active-directory.user-group.allowed-group-names="
+                + userGroup.getAllowedGroupNames());
         }
 
         if (isMultiTenantsApplication(getProfile().getTenantId()) && !userGroup.getAllowedGroupIds().isEmpty()) {
@@ -713,7 +609,7 @@ private void validateAuthorizationClientProperties(String registrationId,
             // Set default value for authorization grant grantType
             switch (applicationType) {
                 case WEB_APPLICATION:
-                    if (properties.isOnDemand() || registrationId.equals(AZURE_CLIENT_REGISTRATION_ID)) {
+                    if (registrationId.equals(AZURE_CLIENT_REGISTRATION_ID)) {
                         properties.setAuthorizationGrantType(AUTHORIZATION_CODE);
                     } else {
                         properties.setAuthorizationGrantType(AZURE_DELEGATED);
@@ -769,14 +665,6 @@ private void validateAuthorizationClientProperties(String registrationId,
                         + ".authorization-grant-type' is valid.");
             }
 
-            if (properties.isOnDemand()
-                && !AUTHORIZATION_CODE.getValue().equals(grantType)) {
-                throw new IllegalStateException("onDemand only support authorization_code grant grantType. Please set "
-                    + "'spring.cloud.azure.active-directory.authorization-clients." + registrationId
-                    + ".authorization-grant-grantType=authorization_code'"
-                    + " or 'spring.cloud.azure.active-directory.authorization-clients." + registrationId + ".on-demand=false'.");
-            }
-
             if (AZURE_CLIENT_REGISTRATION_ID.equals(registrationId)
                 && !AUTHORIZATION_CODE.equals(properties.getAuthorizationGrantType())) {
                 throw new IllegalStateException("spring.cloud.azure.active-directory.authorization-clients."

diff --git a/...java/com/azure/spring/cloud/autoconfigure/aad/properties/AADResourceServerProperties.java b/...java/com/azure/spring/cloud/autoconfigure/aad/properties/AADResourceServerProperties.java
@@ -38,10 +38,10 @@ public class AADResourceServerProperties implements InitializingBean {
      * Configure which claim in access token be returned in AuthenticatedPrincipal#getName. Default value is "sub".
      */
     private String principalClaimName;
+
     /**
      * Configure which claim will be used to build GrantedAuthority, and prefix of the GrantedAuthority's string value.
      * Default value is: "scp" -> "SCOPE_", "roles" -> "APPROLE_".
-     * @see org.springframework.security.core.GrantedAuthority
      */
     private Map<String, String> claimToAuthorityPrefixMap;
 

diff --git a/...va/com/azure/spring/cloud/autoconfigure/aad/properties/AuthorizationClientProperties.java b/...va/com/azure/spring/cloud/autoconfigure/aad/properties/AuthorizationClientProperties.java
@@ -3,8 +3,6 @@
 
 package com.azure.spring.cloud.autoconfigure.aad.properties;
 
-import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
-
 import java.util.List;
 
 /**
@@ -14,8 +12,6 @@ public class AuthorizationClientProperties {
 
     private List<String> scopes;
 
-    private boolean onDemand = false;
-
     private AADAuthorizationGrantType authorizationGrantType;
 
     /**
@@ -53,31 +49,4 @@ public void setScopes(List<String> scopes) {
     public List<String> getScopes() {
         return scopes;
     }
-
-    /**
-     * Whether authorization is on demand.
-     *
-     * @return whether authorization is on demand
-     * @deprecated The AuthorizationGrantType of on-demand clients should be authorization_code.
-     * Set oauth client AuthorizationGrantType to authorization_code, which means it's on-demand.
-     */
-    @Deprecated
-    @DeprecatedConfigurationProperty(
-        reason = "The AuthorizationGrantType of on-demand clients should be authorization_code.",
-        replacement = "Set oauth client AuthorizationGrantType to authorization_code, which means it's on-demand.")
-    public boolean isOnDemand() {
-        return onDemand;
-    }
-
-    /**
-     * Sets whether authorization is on demand.
-     *
-     * @param onDemand whether authorization is on demand
-     * @deprecated The AuthorizationGrantType of on-demand clients should be authorization_code.
-     * Set oauth client AuthorizationGrantType to authorization_code, which means it's on-demand.
-     */
-    @Deprecated
-    public void setOnDemand(boolean onDemand) {
-        this.onDemand = onDemand;
-    }
 }