如何从 Spring 检索 azure AD JWT 访问令牌？

Question

I'm trying to retrieve the azure JWT access token from my Spring Boot application from another application by querying a /token endpoint, but the token I receive is seemingly incorrect.

The project has a Spring Boot backend and an Eclipse rcp frontend. I'm attempting to retrieve the access token from the eclipse frontend. For this, I have the controller below:

    @Autowired
    private OAuth2AuthorizedClientService authorizedClientService;

    @GetMapping("/token")
    public String user(OAuth2AuthenticationToken authentication) {

        OAuth2AuthorizedClient authorizedClient = this.authorizedClientService
                        .loadAuthorizedClient(authentication.getAuthorizedClientRegistrationId(), authentication.getName());
        return authorizedClient.getAccessToken().getTokenValue();
    }

Which returns a token with the following format:

PAQABAAAAAABeAFzDwllzTYGDLh_qYbH8hgtbYMB8x7YLamQyQPk_MEXyd9Ckc5epDFQMv3RxjmMie0JDr5uN82U4RFLgU3fnDBxGolo4XVwzLEsTZDmUK_r0YG6ZwLbbQI_ch_Xn8xCxhsFq-AoRbEESDqK3GmK4eXwCYoT0G8_XfZjHTvCNTOMqUb2Q-CD2EalIKf0zSZ5184qrvlXfdNeT_BJdH_tqaodn80Bp2UL2hdnOCDZuWRqKl_2fi4v-eOOKJCcjOqY6SreVEeoKkIvVdayGE8F6qCxFehmlA0sX9sVW34FIVYVo4lDRsTkm-WN2KJwxJmalNcxg0k2ObDnIeC1ulPPpiPq-O_LK9bVA4HEZ63cJi9ZwQHwLPUhOO6TquoCOroHSy5KPoFkX3N796hM1i0NpaaY4MeAx17CSYeZ9P06jvYD7UMTV3OwWt-OVrDm5z_AvbOvyHRf9wjh31H6oLoc-iu_NCspT6NzC2UZQSHBtKdydEcP6sNkRp073jrZEg8UtcVT6HzddIBk2P0tVeIiSyU3SfLETbzJE67xtJVip3ai9aLN28c0qt3rDBaVGDAXjXhqrh5D3NiXdQjS6YTAKy0bVmNk9Yr9o2CGBA2wFjE8OZ6_Hb3k8_13KMJHafx0gAA

Dependencies from pom.xml

Built using spring boot with the following relevant dependencies:

• spring-boot-starter-web v2.2.4
• azure-active-directory-spring-boot-starter v2.2.1
• spring-security-oauth2-client v5.2.1
• spring-security-oauth2-jose v5.2.1
• spring-security-oauth2-resource-server v5.2.1

Config from application.yml

We support multiple authorization servers, here is the fully configured azure client:

spring:
  security:
    oauth2:
      client:
        azure:
          client-id: XXX
          client-secret: XXX
          client-name: Microsoft
          scope: openid, https://graph.microsoft.com/user.read, profile
          authorization-grant-type: authorization_code
          redirect-uri: http://localhost:8080/login/oauth2/code/azure
          client-authentication-method: basic
          authentication-method: post
      provider:
        authorization-uri: https://login.microsoftonline.com/XXX/oauth2/authorize
        token-uri: https://login.microsoftonline.com/XXX/oauth2/token
        user-info-uri: https://login.microsoftonline.com/XXX/openid/userinfo
        jwt-set-uri: https://login.microsoftonline.com/dXXX/discovery/keys

azure:
   activedirectory:
      tenant-id: XXX
      active-directory-groups: XXX
      allow-telemetry: false

websecurityconfig.java

@Configuration
@EnableConfigurationProperties
@EnableWebSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                    [...]
                    .anyRequest().authenticated();

        http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)

        http.oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService)
                .and()
                .authorizationEndpoint();
    }

    [...]
}

Answer 1

This is how I ended up obtaining the open id token from Azure

@GetMapping("/token")
public String user(OAuth2AuthenticationToken authentication) {
    DefaultOidcUser user = (DefaultOidcUser) authentication.getPrincipal();
    return user.getIdToken().getTokenValue();
}