- Google (gmail) account if you want to test out the Google OAuth2 scenario
Very brief guide:
- Create a local
application.properties
file based onapplication.properties.template
- Register a Google API application in the
Google API Console
and place the
google.client.id
andgoogle.client.secret
inapplication.properties
- Register a Azure AD Application at
Application Registration Portal
and place the
ad.client.id
andad.client.secret
inapplication.properties
- Start the main class
A good way of creating access controlled applications is to use an Enterprise Application in Azure Active Directory. This allows application role assignments to individual users and users in specified Active Directory group. It also gives the option for security features such as MFA (multi-factor authorization) and auditing.
Setting up an Active Directory Enterprise Application:
- Log into Azure Portal. You may have to create a trial account.
- If you don't have access to your organization's Active Directory, you can create your own AD for testing purpose
- Use your AD's Directory ID
as
enterprise.tenant
inapplication.properties
- Create an Application Registration.
Use the Application ID as
enterprise.client.id
inapplication.properties
- In your Application Registration, select Settings and Reply URLs. Add
http://localhost:9080/enterprise/oauth2/callback
(additional URLs are required for deployment) - In your Application Registration, select Settings and Keys. Create a
key and store it as
enterprise.client.secret
inapplication.properties
- In you Application Registration, select Manifest. You have to add
appRoles
as per Azure Multitenant Documentation. You also have to set"groupMembershipClaims": "SecurityGroup"
- Click the link under "Managed application in local directory" to go to the enterprise application configuration.
- Under "Users and groups", add a user that can test the application and assign the user to one of the roles created under step 8.
Make sure you have updated application.properties
with enterprise.tenant
,
enterprise.client.id
and enterprise.client.secret
. Start the Application
main class and point a web browser to http://localhost:9080.
You can test the setup under Enterprise application login. The decoded ID token should contain the Application Role assigned to the user who logs in.
There are a number of security controls that can be set up for an Enterprise application:
- Under "Properties", turn "User assignment required" on to restrict unassigned users from even getting an access token for the application.
- Under "Users and groups", users and groups can be assigned to the applicaton and to specific application roles
- "Self-service" is a feature I haven't examined yet, but it seems to be a feature for users to request access to the application
- "Conditional access" (requires premium AD) allows you to specify that users must use Multi-factor authentication (MFA, also known as two-factor) or that they can only access the application from certain geographical locations or IP addresses
- "Sign-ins" and "Audit logs" allows an admin to see logins and other security critical events
- What requirements are there for users to create an application in their own Active Directory?
- Automatic enrollment with https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/run-the-app
- Can the "master application" read access logs from tenants?