Identity PoC Hack in Java
A Hack to develop PoCs using Java to leverage Azure AD and Azure AD B2C identities.
Goals
- Develop a PoC that signs-in, signs-up, and signs-out a user with Azure AD B2C using MSAL Java.
- Develop a PoC that signs-in, signs-up, and signs-out a user with Azure AD using MSAL Java.
Agenda
Day 1 | Day2 | Day 3 | Day 4 | Day 5 |
---|---|---|---|---|
1:00pm - 1:15pm: Kickoff and Team Intros 1:15pm - 3:00pm: MS Identity Primer + AAD/B2C Demo 3:15pm - 3:30pm: Break 3:15pm - 4pm: Partner Environment Overview and Setup |
1pm - 2:30pm: Team whiteboarding session + Demo of AAD/B2C Java Webapp Sample 2:30pm - 2:45pm: Break 2:45pm - 4:00pm: Hack |
1:00pm - 2:00pm: Hack 2:00pm - 2:15pm: Break 2:15pm - 4:00pm: Hack |
1:00pm - 2:00pm: Hack 2:00pm - 2:15pm: Break 2:15pm - 4:00pm: Hack |
1:00pm - 2:15pm: Hack 2:15pm - 3:00pm: Closing & Lessons Learned |
PoC 1: Identity with AAD B2C
Objective 1: Environment Setup
- Provision an AAD B2C tenant
- Register an B2C app
- Create and test 3 user flows: Sign up & sign in, Profile Editing, Password Reset using a B2C Local Account
References:
Objective 2: Configure B2C External IDPs
- Register an app with a social IDP, e.g. Google and add it as social IDP to your B2C tenant.
- Register an app with OIDC IDP, e.g. Partner's org AAD tenant and add it as a custom OIDC IDP to your B2C tenant.
- Retest your user flows with the new IDPs.
References:
Objective 3: Secure Java app with AAD B2C
- Protect target pages with auth server, aka require a user to sign up/in
- Redeem auth code for access token
- Issue silent login to handle token expiration
- Validate auth request and responses, i.e 'state', 'nonce', etc. *
CheckList
- Setup local environment, i.e. create a self-signed cert to support https on localhost
Example: keytool -genkeypair -alias testCert -keyalg RSA -storetype PKCS12 -keystore keystore.p12 -storepass password server.ssl.key-store-type=PKCS12 server.ssl.key-store=classpath:keystore.p12 server.ssl.key-store-password=password server.ssl.key-alias=testCert
- Configuration file + class
- Check user is authenticated on secure pages
- Prompt user for sign in if not authenticated
- Handle auth code response from auth server to redeem it for an access token.
- Validate state and nonce to protect against attacks, cross-site scripting, etc.
Hint: if not calling a downstream webapi, use the client Id as a scope to generate an access token. References:
Objective 4: Call a downstream protected web api
- Call a api protected by same auth server with a scope
References:
PoC 2: Rinse and Repeat using AAD
Objective 1: Environment Setup
- Provision a separate AAD tenant.
- Register an AAD app as a multi-tenant app.
References:
Objective 2: Secure Java app with AAD
- Rinse and repeat steps in the B2C PoC or just clone above with some minor tweaks.
References:
Objective 3: Call a downstream protected web api
- Call a api protected by same auth server with a scope
Resources
- MSAL Java Library: https://github.com/AzureAD/microsoft-authentication-library-for-java
- Microsoft Identity Java Webapp Sample: https://github.com/Azure-Samples/ms-identity-java-webapp
- VSCode IDE: https://code.visualstudio.com/
- VSCode Java Extension Pack: https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-pack
- VSCode Spring Book Extension Pack: https://marketplace.visualstudio.com/items?itemName=Pivotal.vscode-boot-dev-pack
- Spring Initalizr: https://start.spring.io/
Key OAuth Flows
Auth Code Flow
Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Client Credentials Flow
Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow