I'm trying to configure Spring Security OpenID Connect with Azure AD but only for authentication, without calling any tokenEndpoint or userInfoEndpoint.
I have successfully initiated the authentication flow for OpenID and I see in the network traffic that AzureAD properly redirects to the redirect_uri along with the code query parameter (e.g. http://localhost:8080/login/oauth2/code/azure?code=0.AAAA3...). This code is supposed to be read by Microsoft's MSAL4j library, verified using the Azure AD public keys and then have the JWT extracted which contains the claims etc.
My problem is that I can't figure out how to configure the Spring Security Azure filters to look for the token in the URI instead of trying to call a tokenEndpoint. I'm obviously getting the following error:
MsalServiceException: AADSTS240002: Input id_token cannot be used as 'urn:ietf:params:oauth:grant-type:jwt-bearer' grant.
And I'm guessing it's because I haven't enabled the ID Token flag in my Azure AD configuration which I don't want to enable (since my application does the authentication on the server side). It also says that it is trying to use the on_behalf_of requested_token_use which I think I don't want (it's part of the authorization which I don't need).
How can I configure Azure AD Spring Security to allow for authentication via the ?code=... query parameter which contains the JWT?
