Support jwt client authentication for Spring Cloud Azure AD Starter

[moarychan]

Description

Fixes #29137 #27032

Changelog:

• Deprecated AadAuthorizationGrantType, use AuthorizationGrantType instead.

• Deprecated AadOAuth2AuthenticatedPrincipal, AadJwtBearerTokenAuthenticationConverter, use the default converter JwtAuthenticationConverter instead in AadResourceServerWebSecurityConfigurerAdapter, it's required when the authorization grant type is JWT_BEARER.

• Deprecated AadOboOAuth2AuthorizedClientProvider, use JwtBearerOAuth2AuthorizedClientProvider instead.

• Update validation to allow to override the attributes for azure client registration, such as only override the client authentication method for azure, spring.cloud.azure.active-directory.authorization-clients.azure.client-authentication-method=private_key_jwt.

• Add default implementation OAuth2ClientAuthenticationJWKResolver to support loading a local certificate to create the client assertion.
  NOTE:
  The AadJwtClientAuthenticationParametersConverter implementation is similar to NimbusJwtClientAuthenticationParametersConverter, but it's not suitable for our scenario, we can not custom the JwsHeader; we can deprecate it when upgrading the spring-security-oauth2-client version to 5.7.0, it can be done by the Consumer function to custom the jws header and claims.

  https://github.com/spring-projects/spring-security/blob/428216b322e1591357d8f7450d6f1045cd7c48d5/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter.java#L150-L152

  

• Replace the authorization grant type to AuthorizationGrantType in AuthorizationClientProperties class.

• The authorization grant type ON_BEHALF_OF will be replaced with JWT_BEARER type automatically.

  How to make it still available to use AadOboOAuth2AuthorizedClientProvider flow for developers?

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[ghost]

Thank you for your contribution moarychan! We will review the pull request and get back to you soon.

[chenrujun]

Is "new" necessary here?

[chenrujun]

Is it possible to "support JWT Client Authentication" without this change?

[chenrujun]

Same to all other changes in current file.
If breaking change is necessary, please add more description in "justification".

[saragluna]

spring-projects/spring-security#7834

[saragluna]

Do we expect users to provide this bean? If not, can we move it to the impl package?

[moarychan]

Moved to impl.oauth2 pkg.

[jialigit]

Do you the not recommended but still supported? Is this an API exposed to users or not?

[moarychan]

Yes, users can override the bean OAuth2AuthorizedClientManager to take the OBO provider ability.

[jialigit]

How about the "justification" focus on the "new code" instead of "xx is no need"?

[moarychan]

The old code is to meet the different situations of OBO provider usage, as this is deprecated, then it can be removed no matter which grant type is used.

[jialigit]

Are we just @deprecate an interface or changed the implementation? If we use deprecate, we mean the api is @deprecated and add a new one.

It seems this place should be "removed" and replaced with a new one.
Do we mean this?

[moarychan]

This @deprecated is to tell users not to use the AadAuthorizationGrantType, and still can be used for some users that depend on this type when upgrading the AAD starter to 4.3.0. It will be kept until 5.0.

[jialigit]

Is this duplicate with the above one? Or they sit in different packages?

[moarychan]

One is for AAD starter, another is for AAD B2C starter.

[jialigit]

why do we use this const instead of the original enum one?

[moarychan]

They are all the same type AuthorizationGrantType.

[jialigit]

getOrDefault?

[moarychan]

This means getting the client authentication method of the default client(azure)， there might be some ambiguity.

[jialigit]

why do we warn it here?

[moarychan]

It means the type value is changed by our logic, I will improve the log content.

[jialigit]

should we return null?

[moarychan]

Currently, only supports the PRIVATE_KEY_JWT.

[jialigit]

Should we only log this error?

[moarychan]

Yes, the null will be cached in com.azure.spring.cloud.autoconfigure.aad.implementation.jwt.AadJwtClientAuthenticationParametersConverter#convert.

JWK jwk = this.jwkResolver.apply(clientRegistration);
  if (jwk == null) {
      OAuth2Error oauth2Error = new OAuth2Error(INVALID_KEY_ERROR_CODE,
          "Failed to resolve JWK signing key for client registration '"
              + clientRegistration.getRegistrationId() + "'.",
          null);
      throw new OAuth2AuthorizationException(oauth2Error);
  }

[jialigit]

should we throw this EX?

[moarychan]

same as above

[jialigit]

How about encodeWithSha1 or the like?

[jialigit]

Can we define a bean of this object?

[moarychan]

It's not necessary, this adapter is built-in in our starter, users can re-define a new one to custom the adapter without this converter.

[jialigit]

Can we use a more OO way in this place?

[moarychan]

Please provide your proposal for reference.