Azure-sdk-for-java: Deprecate AADAuthenticationFilter and AADAppRoleStatelessAuthenticationFilter

• For AADAppRoleStatelessAuthenticationFilter, our AAD starter now provides enhancements on spring-security-resource-server, such as

  • Adding more AAD specific token validation, like audience check and issuer check.
  • Exposing more information via UserPrincipal, like getTenantId(), isPersonalAccount().
  • Integrating the ability to perform OBO flow with Spring security, now users could inject the obo authorized client via annotation
    ```java
    @GetMapping("/call-graph")
    public String callGraph(@RegisteredOAuth2AuthorizedClient("graph") OAuth2AuthorizedClient authorizedClient) {
    OAuth2AccessToken graphAccessToken = authorizedClient.getAccessToken();
    // ...
    }

  so we suggest using these enhancements of AAD starter in the case of stateless web applications.




• For AADAuthenticationFilter, since the resource server would normally not support sessions, so AADAuthenticationFilter will not be supported in the future.

@chenrujun

with the provided links, I have a hard time seeing how "Authenticate stateless web API by a filter, using AAD app roles" (https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-boot-starter-active-directory#web-api-deprecated-authenticate-stateless-web-api-by-a-filter-using-aad-app-roles) can be done without the now deprecated class. That page just links back to this issue again.

Is that functionality possible without that filter? If so, where can I find that out? Do you want me to create a ticket for that question?

Just linking to this issue without further instructions doesnt really help me as an developer to migrate away from the deprecated class:

/**
 * A stateless authentication filter which uses app roles feature of Azure Active Directory. Since it's a stateless
 * implementation so the principal will not be stored in session. By using roles claim in the token it will not call
 * Microsoft Graph to retrieve users' groups.
 * <p>
 *
 * @deprecated See the <a href="https://github.com/Azure/azure-sdk-for-java/issues/17860">Alternative method</a>.
 */
@Deprecated
public class AADAppRoleStatelessAuthenticationFilter extends OncePerRequestFilter {

Hi @DRoppelt, sorry for not making the migration clear.

You could follow this sample to see how to use AAD starter in a resource server.

You could follow this code to configure the AADJwtBearerTokenAuthenticationConverter, which by default maps the scope claim to GrantedAuthorities.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
            .oauth2ResourceServer()
            .jwt()
            .jwtAuthenticationConverter(new AADJwtBearerTokenAuthenticationConverter());
    }

In case you want to configure to use another claim, just need to change the initialization to something like:

new AADJwtBearerTokenAuthenticationConverter("roles", "ROLE_")

Hi @saragluna,

thank you for the sample. However, what if the token does not contain the desired scopes? I am referring to the previous implementation using AADAuthenticationFilter when the code calls MS Graph to get user groups/role (in case they are not a part of the token). Is the only option to do it now by implementing my own AADJwtBearerTokenAuthenticationConverter version (which calls MS Graph and maps roles/groups)?

Thank you.

@michal-petrik sorry I missed this message. Yes, if you still want to have the ability to use groups to do your authorization in a resource server.