Azure · saragluna · Jun 28, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022
@@ -254,6 +254,51 @@
           "old": "method org.springframework.boot.autoconfigure.kafka.KafkaProperties com.azure.spring.cloud.autoconfigure.eventhubs.kafka.AzureEventHubsKafkaAutoConfiguration::azureKafkaProperties(com.azure.spring.cloud.core.provider.connectionstring.ServiceConnectionStringProvider<com.azure.spring.cloud.core.service.AzureServiceType.EventHubs>)",
           "justification": "To move kafka properties customization to bean post processor."
         },
+        {
+          "code": "java.annotation.attributeValueChanged",
+          "new": "class com.azure.spring.cloud.autoconfigure.aad.AadAutoConfiguration",
+          "justification": "The use of AadOboOAuth2AuthorizedClientProvider is not recommended, and there is no need to retain consideration of the different situations brought by this OBO provider."
+        },
+        {
+          "code": "java.annotation.added",
+          "new": "class com.azure.spring.cloud.autoconfigure.aad.configuration.AadOAuth2ClientConfiguration",
+          "justification": "The use of AadOboOAuth2AuthorizedClientProvider is not recommended, and there is no need to retain consideration of the different situations brought by this OBO provider."
+        },
+        {
+          "regex": true,
+          "code": "java.class.removed",
+          "old": "class com\\.azure\\.spring\\.cloud\\.autoconfigure\\.aad\\.configuration\\.AadOAuth2ClientConfiguration\\..*",
+          "justification": "The use of AadOboOAuth2AuthorizedClientProvider is not recommended, and there is no need to retain consideration of the different situations brought by this OBO provider."
+        },
+        {
+          "code": "java.method.returnTypeChanged",
+          "old:": "method com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType com.azure.spring.cloud.autoconfigure.aad.properties.AuthorizationClientProperties::getAuthorizationGrantType()",
+          "new": "method org.springframework.security.oauth2.core.AuthorizationGrantType com.azure.spring.cloud.autoconfigure.aad.properties.AuthorizationClientProperties::getAuthorizationGrantType()",
+          "justification": "To support authorization grant type JWT_BEARER, we should use the default AuthorizationGrantType instead of AadAuthorizationGrantType."
+        },
+        {
+          "code": "java.method.returnTypeChanged",
+          "old": "method com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType com.azure.spring.cloud.autoconfigure.aadb2c.properties.AuthorizationClientProperties::getAuthorizationGrantType()",
+          "new": "method org.springframework.security.oauth2.core.AuthorizationGrantType com.azure.spring.cloud.autoconfigure.aadb2c.properties.AuthorizationClientProperties::getAuthorizationGrantType()",
+          "justification": "To support authorization grant type JWT_BEARER, we should use the default AuthorizationGrantType instead of AadAuthorizationGrantType."
+        },
+        {
+          "code": "java.method.parameterTypeChanged",
+          "old": "parameter void com.azure.spring.cloud.autoconfigure.aad.properties.AuthorizationClientProperties::setAuthorizationGrantType(===com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType===)",
+          "new": "parameter void com.azure.spring.cloud.autoconfigure.aad.properties.AuthorizationClientProperties::setAuthorizationGrantType(===org.springframework.security.oauth2.core.AuthorizationGrantType===)",
+          "justification": "To support authorization grant type JWT_BEARER, we should use the default AuthorizationGrantType instead of AadAuthorizationGrantType."
+        },
+        {
+          "code": "java.method.parameterTypeChanged",
+          "old": "parameter void com.azure.spring.cloud.autoconfigure.aadb2c.properties.AuthorizationClientProperties::setAuthorizationGrantType(===com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType===)",
+          "new": "parameter void com.azure.spring.cloud.autoconfigure.aadb2c.properties.AuthorizationClientProperties::setAuthorizationGrantType(===org.springframework.security.oauth2.core.AuthorizationGrantType===)",
+          "justification": "To support authorization grant type JWT_BEARER, we should use the default AuthorizationGrantType instead of AadAuthorizationGrantType."
+        },
+        {
+          "code": "java.field.removedWithConstant",
+          "old": "field com.azure.spring.cloud.autoconfigure.aad.AadAuthenticationFilterAutoConfiguration.PROPERTY_PREFIX",
+          "justification": "Unused constant."
+        },
         {
           "code": "java.method.visibilityReduced",
           "new": "method com.azure.spring.cloud.autoconfigure.context.AzureTokenCredentialAutoConfiguration.AzureServiceClientBuilderFactoryPostProcessor com.azure.spring.cloud.autoconfigure.context.AzureTokenCredentialAutoConfiguration::builderFactoryBeanPostProcessor()",

@@ -5,6 +5,7 @@
 ### Features Added
 - GA the `spring-cloud-azure-starter-storage`. This starter supports all features of Azure Storage.
 - GA the `spring-cloud-azure-starter-keyvault`. This starter supports all features of Azure Key Vault.
+- Support Jwt Client authentication for Azure AD Starter.
 
 ### Breaking Changes
 
@@ -48,13 +49,28 @@ This section includes changes in `spring-cloud-azure-starter-active-directory` m
 #### Dependency Updates
 - Upgrade spring-security to 5.6.4 to address [CVE-2022-22978](https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in-regexrequestmatcher) [#29304](https://github.com/Azure/azure-sdk-for-java/pull/29304).
 
+#### Features Added
++ Support Jwt Client authentication [#29471](https://github.com/Azure/azure-sdk-for-java/pull/29471).
+
+#### Breaking Changes
++ Deprecated classes and properties type changed [#29471](https://github.com/Azure/azure-sdk-for-java/pull/29471).
+    + Deprecated ~~AadAuthorizationGrantType~~, use `AuthorizationGrantType` instead.
+    + Deprecated ~~AadOAuth2AuthenticatedPrincipal~~, ~~AadJwtBearerTokenAuthenticationConverter~~, use the default converter `JwtAuthenticationConverter` instead in `AadResourceServerWebSecurityConfigurerAdapter`.
+    + The type of property *authorizationGrantType* is changed to `AuthorizationGrantType` in `AuthorizationClientProperties` class.
+    + Deprecated ~~AadOboOAuth2AuthorizedClientProvider~~, use `JwtBearerOAuth2AuthorizedClientProvider` instead.
+
 ### Spring Cloud Azure Starter Active Directory B2C
 This section includes changes in `spring-cloud-azure-starter-active-directory-b2c` module.
 
 #### Dependency Updates
 - Upgrade spring-security to 5.6.4 to address [CVE-2022-22978](https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in-regexrequestmatcher) [#29304](https://github.com/Azure/azure-sdk-for-java/pull/29304).
 
 
+#### Breaking Changes
++ Deprecated classes and properties type changed [#29471](https://github.com/Azure/azure-sdk-for-java/pull/29471).
+    + Deprecated *~~AadAuthorizationGrantType~~*, use `AuthorizationGrantType` instead.
+    + The type of property *authorizationGrantType* is changed to `AuthorizationGrantType` in `AuthorizationClientProperties` class.
+
 ## 4.2.0 (2022-05-26)
 
 - This release is compatible with Spring Boot 2.5.0-2.5.14, 2.6.0-2.6.8, 2.7.0. (Note: 2.5.x (x>14), 2.6.y (y>8) and 2.7.z (z>0) should be supported, but they aren't tested with this release.)

@@ -330,7 +330,6 @@
           <rules>
             <bannedDependencies>
               <includes>
-                <include>com.microsoft.azure:msal4j:[1.12.0]</include> <!-- {x-include-update;com.microsoft.azure:msal4j;external_dependency} -->
                 <include>com.nimbusds:nimbus-jose-jwt:[9.22]</include> <!-- {x-include-update;com.nimbusds:nimbus-jose-jwt;external_dependency} -->
                 <include>org.messaginghub:pooled-jms:[1.2.4]</include> <!-- {x-include-update;org.messaginghub:pooled-jms;external_dependency} -->
                 <include>org.apache.qpid:qpid-jms-client:[0.53.0]</include> <!-- {x-include-update;org.apache.qpid:qpid-jms-client;external_dependency} -->

@@ -40,12 +40,8 @@
 @ConditionalOnMissingClass({ "org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken" })
 @Import(AadPropertiesConfiguration.class)
 public class AadAuthenticationFilterAutoConfiguration {
-    /**
-     * The property prefix
-     */
-    public static final String PROPERTY_PREFIX = "spring.cloud.azure.active-directory";
 
-    private static final Logger LOG = LoggerFactory.getLogger(AadAuthenticationProperties.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(AadAuthenticationProperties.class);
 
     private final AadAuthenticationProperties properties;
     private final AadAuthorizationServerEndpoints endpoints;
@@ -72,7 +68,7 @@ public AadAuthenticationFilterAutoConfiguration(AadAuthenticationProperties prop
     @ConditionalOnMissingBean(AadAuthenticationFilter.class)
     @ConditionalOnExpression("${spring.cloud.azure.active-directory.session-stateless:false} == false")
     public AadAuthenticationFilter aadAuthenticationFilter(ResourceRetriever resourceRetriever, JWKSetCache jwkSetCache) {
-        LOG.info("AadAuthenticationFilter Constructor.");
+        LOGGER.info("AadAuthenticationFilter Constructor.");
         return new AadAuthenticationFilter(
             properties,
             endpoints,
@@ -91,7 +87,7 @@ public AadAuthenticationFilter aadAuthenticationFilter(ResourceRetriever resourc
     @ConditionalOnMissingBean(AadAppRoleStatelessAuthenticationFilter.class)
     @ConditionalOnExpression("${spring.cloud.azure.active-directory.session-stateless:false} == true")
     public AadAppRoleStatelessAuthenticationFilter aadStatelessAuthFilter(ResourceRetriever resourceRetriever) {
-        LOG.info("Creating AadStatelessAuthFilter bean.");
+        LOGGER.info("Creating AadStatelessAuthFilter bean.");
         return new AadAppRoleStatelessAuthenticationFilter(
             new UserPrincipalManager(
                 endpoints,

@@ -24,10 +24,7 @@
     AadPropertiesConfiguration.class,
     AadWebApplicationConfiguration.class,
     AadResourceServerConfiguration.class,
-    AadOAuth2ClientConfiguration.OAuth2ClientRepositoryConfiguration.class,
-    AadOAuth2ClientConfiguration.WebApplicationWithoutResourceServerOAuth2AuthorizedClientManagerConfiguration.class,
-    AadOAuth2ClientConfiguration.ResourceServerWithOBOOAuth2AuthorizedClientManagerConfiguration.class,
-    AadOAuth2ClientConfiguration.WebApplicationAndResourceServiceOAuth2AuthorizedClientManagerConfiguration.class
+    AadOAuth2ClientConfiguration.class
 })
 public class AadAutoConfiguration {
 

@@ -4,12 +4,14 @@
 package com.azure.spring.cloud.autoconfigure.aad;
 
 import com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthenticationProperties;
-import com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType;
 import com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationServerEndpoints;
 import com.azure.spring.cloud.autoconfigure.aad.properties.AuthorizationClientProperties;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.util.Assert;
 
 import java.util.Collection;
@@ -21,8 +23,10 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
-import static com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType.AUTHORIZATION_CODE;
-import static com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType.AZURE_DELEGATED;
+import static com.azure.spring.cloud.autoconfigure.aad.implementation.constants.Constants.AZURE_DELEGATED;
+import static com.azure.spring.cloud.autoconfigure.aad.implementation.constants.Constants.ON_BEHALF_OF;
+import static org.springframework.security.oauth2.core.AuthorizationGrantType.AUTHORIZATION_CODE;
+import static org.springframework.security.oauth2.core.AuthorizationGrantType.JWT_BEARER;
 
 
 /**
@@ -34,6 +38,8 @@
  */
 public class AadClientRegistrationRepository implements ClientRegistrationRepository, Iterable<ClientRegistration> {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(AadClientRegistrationRepository.class);
+
     /**
      * Azure client registration ID
      */
@@ -68,13 +74,25 @@ public AadClientRegistrationRepository(AadAuthenticationProperties properties) {
                       .stream()
                       .collect(Collectors.toMap(
                           Map.Entry::getKey,
-                          entry -> toClientRegistration(entry.getKey(), entry.getValue().getAuthorizationGrantType(),
-                              entry.getValue().getScopes(), properties)));
+                          entry -> toClientRegistration(entry.getKey(),
+                              entry.getValue().getAuthorizationGrantType(),
+                              entry.getValue().getScopes(),
+                              entry.getValue().getClientAuthenticationMethod(),
+                              properties)));
+        ClientAuthenticationMethod azureClientAuthMethod = getAzureDefaultClientAuthenticationMethod();
         ClientRegistration azureClient =
-            toClientRegistration(AZURE_CLIENT_REGISTRATION_ID, AUTHORIZATION_CODE, authorizationCodeScopes, properties);
+            toClientRegistration(AZURE_CLIENT_REGISTRATION_ID, AUTHORIZATION_CODE,
+                authorizationCodeScopes, azureClientAuthMethod, properties);
         allClients.put(AZURE_CLIENT_REGISTRATION_ID, azureClient);
     }
 
+    private ClientAuthenticationMethod getAzureDefaultClientAuthenticationMethod() {
+        if (this.allClients.containsKey(AZURE_CLIENT_REGISTRATION_ID)) {
+            return this.allClients.get(AZURE_CLIENT_REGISTRATION_ID).getClientAuthenticationMethod();
+        }
+        return ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
+    }
+
     /**
      * Gets the set of Azure client access token scopes.
      *
@@ -94,8 +112,7 @@ public ClientRegistration findByRegistrationId(String registrationId) {
     public Iterator<ClientRegistration> iterator() {
         return allClients.values()
                          .stream()
-                         .filter(client ->
-                             client.getAuthorizationGrantType().getValue().equals(AUTHORIZATION_CODE.getValue()))
+                         .filter(client -> AUTHORIZATION_CODE.equals(client.getAuthorizationGrantType()))
                          .iterator();
     }
 
@@ -132,19 +149,28 @@ private Set<String> delegatedClientsAccessTokenScopes(AadAuthenticationPropertie
     }
 
     private ClientRegistration toClientRegistration(String registrationId,
-                                                    AadAuthorizationGrantType aadAuthorizationGrantType,
+                                                    AuthorizationGrantType authorizationGrantType,
                                                     Collection<String> scopes,
+                                                    ClientAuthenticationMethod clientAuthenticationMethod,
                                                     AadAuthenticationProperties properties) {
         AadAuthorizationServerEndpoints endpoints =
-            new AadAuthorizationServerEndpoints(properties.getProfile().getEnvironment().getActiveDirectoryEndpoint(), properties.getProfile().getTenantId());
+            new AadAuthorizationServerEndpoints(properties.getProfile().getEnvironment().getActiveDirectoryEndpoint(),
+                properties.getProfile().getTenantId());
+
+        if (ON_BEHALF_OF.equals(authorizationGrantType)) {
+            authorizationGrantType = JWT_BEARER;
+            LOGGER.warn("The grant type 'on_behalf_of' is an alias, it will be replaced with "
+                + "'urn:ietf:params:oauth:grant-type:jwt-bearer' for client {}.", registrationId);
+        }
         return ClientRegistration.withRegistrationId(registrationId)
                                  .clientName(registrationId)
-                                 .authorizationGrantType(new AuthorizationGrantType((aadAuthorizationGrantType.getValue())))
+                                 .authorizationGrantType(authorizationGrantType)
                                  .scope(scopes)
                                  .redirectUri(properties.getRedirectUriTemplate())
                                  .userNameAttributeName(properties.getUserNameAttribute())
                                  .clientId(properties.getCredential().getClientId())
                                  .clientSecret(properties.getCredential().getClientSecret())
+                                 .clientAuthenticationMethod(clientAuthenticationMethod)
                                  .authorizationUri(endpoints.getAuthorizationEndpoint())
                                  .tokenUri(endpoints.getTokenEndpoint())
                                  .jwkSetUri(endpoints.getJwkSetEndpoint())

@@ -14,6 +14,7 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.util.Assert;
 
 import java.util.Collection;
@@ -23,7 +24,10 @@
 
 /**
  * A {@link Converter} that takes a {@link Jwt} and converts it into a {@link BearerTokenAuthentication}.
+ *
+ * @deprecated use the default converter {@link JwtAuthenticationConverter} instead in {@link AadResourceServerWebSecurityConfigurerAdapter}.
  */
+@Deprecated
 public class AadJwtBearerTokenAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
 
     private final Converter<Jwt, Collection<GrantedAuthority>> converter;

@@ -3,10 +3,16 @@
 
 package com.azure.spring.cloud.autoconfigure.aad;
 
+import com.azure.spring.cloud.autoconfigure.aad.implementation.jwt.AadJwtGrantedAuthoritiesConverter;
 import com.azure.spring.cloud.autoconfigure.aad.properties.AadResourceServerProperties;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.util.StringUtils;
 
 /**
  * Abstract configuration class, used to make JwtConfigurer and AADJwtBearerTokenAuthenticationConverter take effect.
@@ -30,10 +36,17 @@ protected void configure(HttpSecurity http) throws Exception {
         // @formatter:off
         http.oauth2ResourceServer()
             .jwt()
-            .jwtAuthenticationConverter(
-                new AadJwtBearerTokenAuthenticationConverter(
-                    properties.getPrincipalClaimName(), properties.getClaimToAuthorityPrefixMap()));
+            .jwtAuthenticationConverter(jwtAuthenticationConverter());
         // @formatter:off
     }
 
+    private Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter() {
+        JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
+        if (StringUtils.hasText(properties.getPrincipalClaimName())) {
+            converter.setPrincipalClaimName(properties.getPrincipalClaimName());
+        }
+        converter.setJwtGrantedAuthoritiesConverter(
+            new AadJwtGrantedAuthoritiesConverter(properties.getClaimToAuthorityPrefixMap()));
+        return converter;
+    }
 }