Enhance the token authentication converter to accept the custom jwt granted authorities converter (Azure#32335)

Author: moarychan

eng/code-quality-reports/src/main/resources/checkstyle/checkstyle-suppressions.xml

@@ -399,6 +399,7 @@ the main ServiceBusClientBuilder. -->
   <suppress checks="PackageName" files="com.azure.spring.cloud.autoconfigure.aadb2c.*" />
   <!-- Suppress package name warning: oauth2 is the protocol name. -->
   <suppress checks="PackageName" files="com.azure.spring.cloud.autoconfigure.aad.implementation.oauth2" />
+  <suppress checks="EnforceFinalFields" files="com.azure.spring.cloud.autoconfigure.aad.AadResourceServerWebSecurityConfigurerAdapter"/>
   <!-- The package name length limit -->
   <suppress checks="PackageName" files="com.azure.spring.cloud.autoconfigure.implementation.keyvault.certificates.properties.AzureKeyVaultCertificateProperties"/>
   <suppress checks="PackageName" files="com.azure.spring.cloud.autoconfigure.implementation.keyvault.certificates.properties.package-info.java"/>

sdk/spring/CHANGELOG.md

@@ -7,11 +7,12 @@ Upgrade Spring Boot dependencies version to 2.7.4 and Spring Cloud dependencies
 ### Spring Cloud Azure Autoconfigure
 This section includes changes in `spring-cloud-azure-autoconfigure` module.
 
-#### Dependency Updates
-- Upgrade spring-security to 5.7.5 to address [CVE-2022-31690](https://tanzu.vmware.com/security/cve-2022-31690) [#32145](https://github.com/Azure/azure-sdk-for-java/pull/32145).
-
 #### Features Added
 - Remove warning logs of Kafka passwordless autoconfiguration. [#31182](https://github.com/Azure/azure-sdk-for-java/issues/31182)
+- Enhance the token authentication converter and Azure AD Resource Server configurer adapter to accept the custom jwt granted authorities converter. [#28665](https://github.com/Azure/azure-sdk-for-java/issues/28665)
+
+#### Dependency Updates
+- Upgrade spring-security to 5.7.5 to address [CVE-2022-31690](https://tanzu.vmware.com/security/cve-2022-31690) [#32145](https://github.com/Azure/azure-sdk-for-java/pull/32145).
 
 ## 4.4.1 (2022-10-31)
 

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/aad/AadJwtBearerTokenAuthenticationConverter.java

@@ -30,7 +30,7 @@
 @Deprecated
 public class AadJwtBearerTokenAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
 
-    private final Converter<Jwt, Collection<GrantedAuthority>> converter;
+    private final Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter;
     private final String principalClaimName;
 
     /**
@@ -58,20 +58,42 @@ public AadJwtBearerTokenAuthenticationConverter(String authoritiesClaimName) {
      */
     public AadJwtBearerTokenAuthenticationConverter(String authoritiesClaimName,
                                                     String authorityPrefix) {
-        this(null, buildClaimToAuthorityPrefixMap(authoritiesClaimName, authorityPrefix));
+        this(AadJwtClaimNames.SUB, buildClaimToAuthorityPrefixMap(authoritiesClaimName, authorityPrefix));
     }
 
     /**
      * Using spring security provides JwtGrantedAuthoritiesConverter, it can resolve the access token of scp or roles.
      *
-     * @param principalClaimName authorities claim name
+     * @param principalClaimName the claim name for the principal
      * @param claimToAuthorityPrefixMap the authority name and prefix map
      */
     public AadJwtBearerTokenAuthenticationConverter(String principalClaimName,
                                                     Map<String, String> claimToAuthorityPrefixMap) {
         Assert.notNull(claimToAuthorityPrefixMap, "claimToAuthorityPrefixMap cannot be null");
         this.principalClaimName = principalClaimName;
-        this.converter = new AadJwtGrantedAuthoritiesConverter(claimToAuthorityPrefixMap);
+        this.jwtGrantedAuthoritiesConverter = new AadJwtGrantedAuthoritiesConverter(claimToAuthorityPrefixMap);
+    }
+
+    /**
+     * Using the custom JwtGrantedAuthoritiesConverter.
+     *
+     * @param jwtGrantedAuthoritiesConverter the custom granted authority converter
+     */
+    public AadJwtBearerTokenAuthenticationConverter(Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter) {
+        this(AadJwtClaimNames.SUB, jwtGrantedAuthoritiesConverter);
+    }
+
+    /**
+     * Using the principal claim name and the custom JwtGrantedAuthoritiesConverter.
+     *
+     * @param principalClaimName the claim name for the principal
+     * @param jwtGrantedAuthoritiesConverter the custom granted authority converter
+     */
+    public AadJwtBearerTokenAuthenticationConverter(String principalClaimName,
+                                                    Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter) {
+        Assert.notNull(jwtGrantedAuthoritiesConverter, "jwtGrantedAuthoritiesConverter cannot be null");
+        this.principalClaimName = principalClaimName;
+        this.jwtGrantedAuthoritiesConverter = jwtGrantedAuthoritiesConverter;
     }
 
     /**
@@ -85,7 +107,7 @@ public AbstractAuthenticationToken convert(Jwt jwt) {
         OAuth2AccessToken accessToken = new OAuth2AccessToken(
             OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
         Map<String, Object> claims = jwt.getClaims();
-        Collection<GrantedAuthority> authorities = converter.convert(jwt);
+        Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
         OAuth2AuthenticatedPrincipal principal = new AadOAuth2AuthenticatedPrincipal(
             jwt.getHeaders(), claims, authorities, jwt.getTokenValue(), (String) claims.get(principalClaimName));
         return new BearerTokenAuthentication(principal, accessToken, authorities);

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/aad/AadResourceServerWebSecurityConfigurerAdapter.java

@@ -10,10 +10,15 @@
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
+import java.util.Collection;
+
 /**
  * Abstract configuration class, used to make JwtConfigurer and AADJwtBearerTokenAuthenticationConverter take effect.
  *
@@ -22,10 +27,32 @@
 public abstract class AadResourceServerWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
 
     @Autowired
-    AadResourceServerProperties properties;
+    private AadResourceServerProperties properties;
+
+    private Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter;
 
     /**
-     * configure
+     * Creates a new instance with the default configuration.
+     */
+    public AadResourceServerWebSecurityConfigurerAdapter() {
+    }
+
+    /**
+     * Sets the Azure AD properties and custom granted authority converter to creates a new instance,
+     * the custom granted authority converter can be null.
+     *
+     * @param properties the Azure AD properties for Resource Server
+     * @param jwtGrantedAuthoritiesConverter the custom converter for JWT granted authority
+     */
+    public AadResourceServerWebSecurityConfigurerAdapter(AadResourceServerProperties properties,
+                                                         Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter) {
+        Assert.notNull(jwtGrantedAuthoritiesConverter, "jwtGrantedAuthoritiesConverter cannot be null");
+        this.properties = properties;
+        this.jwtGrantedAuthoritiesConverter = jwtGrantedAuthoritiesConverter;
+    }
+
+    /**
+     * Apply the {@link OAuth2ResourceServerConfigurer}  for Azure AD OAuth2 Resource Server scenario.
      *
      * @param http the {@link HttpSecurity} to use
      * @throws Exception Configuration failed
@@ -45,8 +72,22 @@ private Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter()
         if (StringUtils.hasText(properties.getPrincipalClaimName())) {
             converter.setPrincipalClaimName(properties.getPrincipalClaimName());
         }
-        converter.setJwtGrantedAuthoritiesConverter(
-            new AadJwtGrantedAuthoritiesConverter(properties.getClaimToAuthorityPrefixMap()));
+
+        this.jwtGrantedAuthoritiesConverter = jwtGrantedAuthoritiesConverter();
+        if (this.jwtGrantedAuthoritiesConverter != null) {
+            converter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
+        } else {
+            converter.setJwtGrantedAuthoritiesConverter(
+                new AadJwtGrantedAuthoritiesConverter(properties.getClaimToAuthorityPrefixMap()));
+        }
         return converter;
     }
+
+    /**
+     * Customize the Jwt granted authority converter, and return the {@link AadResourceServerWebSecurityConfigurerAdapter#jwtGrantedAuthoritiesConverter} by default.
+     * @return the Jwt granted authority converter.
+     */
+    protected Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
+        return this.jwtGrantedAuthoritiesConverter;
+    }
 }

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/aad/configuration/AadResourceServerConfiguration.java

@@ -109,7 +109,7 @@ public static class DefaultAadResourceServerWebSecurityConfigurerAdapter extends
         AadResourceServerWebSecurityConfigurerAdapter {
 
         /**
-         * configure
+         * Configure the default Resource Server for Azure AD.
          *
          * @param http the {@link HttpSecurity} to use
          * @throws Exception Configuration failed

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/aad/AadJwtBearerTokenAuthenticationConverterTests.java

@@ -2,23 +2,29 @@
 // Licensed under the MIT License.
 package com.azure.spring.cloud.autoconfigure.aad;
 
+import com.azure.spring.cloud.autoconfigure.aad.implementation.constants.AadJwtClaimNames;
 import com.azure.spring.cloud.autoconfigure.aad.implementation.oauth2.AadOAuth2AuthenticatedPrincipal;
 import net.minidev.json.JSONArray;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestInstance;
+import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
 
 import java.time.Instant;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static org.mockito.internal.verification.VerificationModeFactory.times;
 
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class AadJwtBearerTokenAuthenticationConverterTests {
@@ -32,6 +38,7 @@ class AadJwtBearerTokenAuthenticationConverterTests {
     void init() {
         claims.put("iss", "fake-issuer");
         claims.put("tid", "fake-tid");
+        claims.put("name", "fake-user");
         headers.put("kid", "kg2LYs2T0CTjIfj4rt6JIynen38");
         when(jwt.getClaim("scp")).thenReturn("Order.read Order.write");
         when(jwt.getClaim("roles")).thenReturn(jsonArray);
@@ -62,7 +69,7 @@ void testNoArgumentsConstructorDefaultScopeAndRoleAuthorities() {
         AadOAuth2AuthenticatedPrincipal principal = (AadOAuth2AuthenticatedPrincipal) authenticationToken
             .getPrincipal();
         assertThat(principal.getAttributes()).isNotEmpty();
-        assertThat(principal.getAttributes()).hasSize(2);
+        assertThat(principal.getAttributes()).hasSize(3);
         assertThat(principal.getAuthorities()).hasSize(4);
     }
 
@@ -74,7 +81,7 @@ void testNoArgumentsConstructorExtractScopeAuthorities() {
         AadOAuth2AuthenticatedPrincipal principal = (AadOAuth2AuthenticatedPrincipal) authenticationToken
             .getPrincipal();
         assertThat(principal.getAttributes()).isNotEmpty();
-        assertThat(principal.getAttributes()).hasSize(2);
+        assertThat(principal.getAttributes()).hasSize(3);
         assertThat(principal.getAuthorities()).hasSize(4);
     }
 
@@ -86,7 +93,7 @@ void testParameterConstructorExtractScopeAuthorities() {
         AadOAuth2AuthenticatedPrincipal principal = (AadOAuth2AuthenticatedPrincipal) authenticationToken
             .getPrincipal();
         assertThat(principal.getAttributes()).isNotEmpty();
-        assertThat(principal.getAttributes()).hasSize(2);
+        assertThat(principal.getAttributes()).hasSize(3);
         assertThat(principal.getAuthorities()).hasSize(2);
     }
 
@@ -99,7 +106,7 @@ void testParameterConstructorExtractRoleAuthorities() {
         AadOAuth2AuthenticatedPrincipal principal = (AadOAuth2AuthenticatedPrincipal) authenticationToken
             .getPrincipal();
         assertThat(principal.getAttributes()).isNotEmpty();
-        assertThat(principal.getAttributes()).hasSize(2);
+        assertThat(principal.getAttributes()).hasSize(3);
         assertThat(principal.getAuthorities()).hasSize(2);
     }
 
@@ -113,9 +120,34 @@ void testConstructorExtractRoleAuthoritiesWithAuthorityPrefixMapParameter() {
         AadOAuth2AuthenticatedPrincipal principal = (AadOAuth2AuthenticatedPrincipal) authenticationToken
             .getPrincipal();
         assertThat(principal.getAttributes()).isNotEmpty();
-        assertThat(principal.getAttributes()).hasSize(2);
+        assertThat(principal.getAttributes()).hasSize(3);
         assertThat(principal.getAuthorities()).hasSize(2);
         Assertions.assertTrue(principal.getAuthorities().contains(new SimpleGrantedAuthority("APPROLE_User.read")));
         Assertions.assertTrue(principal.getAuthorities().contains(new SimpleGrantedAuthority("APPROLE_User.write")));
     }
+
+    @Test
+    void createTokenAuthenticationConverterWithGrantedAuthorityConverter() {
+        Converter<Jwt, Collection<GrantedAuthority>> grantedAuthorityConverter = mock(TestJwtGrantedAuthoritiesConverter.class);
+        AadJwtBearerTokenAuthenticationConverter tokenAuthenticationConverter = new AadJwtBearerTokenAuthenticationConverter(grantedAuthorityConverter);
+        tokenAuthenticationConverter.convert(jwt);
+        verify(grantedAuthorityConverter, times(1)).convert(this.jwt);
+    }
+
+    @Test
+    void createTokenAuthenticationConverterWithClaimNameAndGrantedAuthorityConverter() {
+        Converter<Jwt, Collection<GrantedAuthority>> grantedAuthorityConverter = mock(TestJwtGrantedAuthoritiesConverter.class);
+        AadJwtBearerTokenAuthenticationConverter tokenAuthenticationConverter = new AadJwtBearerTokenAuthenticationConverter(AadJwtClaimNames.NAME, grantedAuthorityConverter);
+        AbstractAuthenticationToken abstractAuthenticationToken = tokenAuthenticationConverter.convert(jwt);
+        AadOAuth2AuthenticatedPrincipal principal = (AadOAuth2AuthenticatedPrincipal) abstractAuthenticationToken.getPrincipal();
+        Assertions.assertEquals(principal.getName(), "fake-user");
+        verify(grantedAuthorityConverter, times(1)).convert(this.jwt);
+    }
+
+    class TestJwtGrantedAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
+        @Override
+        public Collection<GrantedAuthority> convert(Jwt source) {
+            return null;
+        }
+    }
 }

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/aad/implementation/webapi/AadResourceServerConfigurationTests.java

@@ -2,23 +2,34 @@
 // Licensed under the MIT License.
 package com.azure.spring.cloud.autoconfigure.aad.implementation.webapi;
 
+import com.azure.spring.cloud.autoconfigure.aad.AadResourceServerWebSecurityConfigurerAdapter;
 import com.azure.spring.cloud.autoconfigure.aad.configuration.AadResourceServerConfiguration;
 import com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthenticationProperties;
 import com.nimbusds.jwt.proc.JWTClaimsSetAwareJWSKeySelector;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.springframework.boot.test.context.FilteredClassLoader;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
+import org.springframework.test.util.ReflectionTestUtils;
 
+import java.util.Collection;
 import java.util.List;
 
 import static com.azure.spring.cloud.autoconfigure.aad.implementation.WebApplicationContextRunnerUtils.resourceServerContextRunner;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.mock;
 
 class AadResourceServerConfigurationTests {
 
@@ -79,4 +90,58 @@ void testCreateWebSecurityConfigurerAdapter() {
                 assertThat(webSecurityConfigurerAdapter).isNotNull();
             });
     }
+    @ParameterizedTest
+    @ValueSource(classes = { TestResourceServerConfigurationUsingConstructor.class, TestResourceServerConfigurationUsingMethod.class })
+    @SuppressWarnings("unchecked")
+    void useCustomJwtGrantedAuthoritiesConverterUsingConstructor(Class<? extends WebSecurityConfigurerAdapter> configurationClass) {
+        resourceServerContextRunner()
+            .withPropertyValues("spring.cloud.azure.active-directory.enabled=true")
+            .withUserConfiguration(configurationClass)
+            .run(context -> {
+                WebSecurityConfigurerAdapter webSecurityConfigurerAdapter = (WebSecurityConfigurerAdapter) context.getBean(configurationClass);
+                Converter<Jwt, Collection<GrantedAuthority>> converter =
+                    (Converter) ReflectionTestUtils.getField(webSecurityConfigurerAdapter, "jwtGrantedAuthoritiesConverter");
+                assertThat(converter).isNotNull();
+                assertThat(converter).isInstanceOfAny(TestJwtGrantedAuthoritiesConverter.class);
+                assertThat(webSecurityConfigurerAdapter).isNotNull();
+            });
+    }
+
+    @EnableWebSecurity
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    static class TestResourceServerConfigurationUsingConstructor extends
+        AadResourceServerWebSecurityConfigurerAdapter {
+
+        TestResourceServerConfigurationUsingConstructor() {
+            super(null, mock(TestJwtGrantedAuthoritiesConverter.class));
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            super.configure(http);
+        }
+    }
+
+    @EnableWebSecurity
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    static class TestResourceServerConfigurationUsingMethod extends
+        AadResourceServerWebSecurityConfigurerAdapter {
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+            super.configure(http);
+        }
+
+        @Override
+        protected Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
+            return mock(TestJwtGrantedAuthoritiesConverter.class);
+        }
+    }
+
+    class TestJwtGrantedAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
+        @Override
+        public Collection<GrantedAuthority> convert(Jwt source) {
+            return null;
+        }
+    }
 }