How to secure a Spring Boot app using Azure AD (oauth2) AND call Devops REST API (secured by Oauth2)

0
votes

We have an app that uses the Azure Spring Boot Active Directory starter "com.microsoft.azure:azure-active-directory-spring-boot-starter" and Spring Security to secure access to the app. This all works fine.

This was done by following these instructions:

https://docs.microsoft.com/en-us/azure/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory

Now we want to call DevOps REST APIs on behalf of the logged in users as per these instructions:

https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops

The thing that is confusing me is that each set of documentation specifies a completely different way of registering the app

The first says : "From the portal menu, click App registrations, and then click Register an application."

The second says "Go to https://app.vsaex.visualstudio.com/app/register to register your app."

If I register via the second manner it doesn't show up in the list of app registrations in the portal.

So for the moment, I've registered two apps, one in the portal, and one in the second manner.

In order to register a user with the app, I go here, specifying the callback URL that I defined for the second app (bear in mind the first and second apps are the same app).

https://app.vssps.visualstudio.com/oauth2/authorize
        ?client_id={app ID}
        &response_type=Assertion
        &state={state}
        &scope={scope}
        &redirect_uri={callback URL}

However, as I am already logged in to the app via Spring Security/AD (the first mecahnism) I get this error back from the app registration URL above, presumably because I'm logged from the first:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: idoffirstapplication

Questions:

How can I secure my app via AD which uses Oauth2 under the bonnet, and allow the app to call Devops APIs on their behalf of the logged in users ?

The main issue seems to be that Azure has two completely different sets of endpoints for logging in via Azure and calling Devops REST APIs. For example the REST API Oauth2 token endpoint is https://app.vssps.visualstudio.com/oauth2/token but the AD one is https://login.microsoftonline.com/${azure.activedirectory.tenant-id}/oauth2/token

Can I just have one application and add in the Oauth2 scopes I need (vso.release_execute) and add in an additional redirect_uri to handle the code returned from the call to https://app.vssps.visualstudio.com/oauth2/authorize, and then have call DevOps specific token URLs to get refresh and access tokens ?

1
azurespring-bootoauth-2.0azure-devopsazure-devops-rest-api

1 Answers

0
votes

The two links are different things. The first link is securing a Java web app using the Spring Boot Starter for Azure Active Directory. The second link is authorizing access to REST APIs of Azure DevOps Service with OAuth 2.0.

The users who can call the DevOps APIs in the application need to be able to access the DevOps organization. You can refer to the C# example in following link:

https://github.com/microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample