From 141ba2a069ae0499fdf13fbed0d98a87efb7f283 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Wed, 9 Mar 2022 00:13:56 +0800 Subject: [PATCH 01/38] aad-resource-server-by-filter terraform support --- .../src/main/resources/application.yml | 2 +- .../terraform/main.tf | 91 +++++++++++++++++++ .../terraform/outputs.tf | 14 +++ .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 0 .../terraform/variables.tf | 17 ++++ 6 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.ps1 create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml index 07125b848..2c1857ccd 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml @@ -18,6 +18,6 @@ spring: profile: tenant-id: ${AZURE_TENANT_ID} user-group: - allowed-groups: group1,group2 + allowed-group-names: group1,group2 redirect-uri-template: http://localhost:8080/ diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf new file mode 100644 index 000000000..5d6c5b964 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -0,0 +1,91 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + } +} + + +data "azuread_client_config" "current" {} + + +# Configure the Azure Active Directory Provider +provider "azuread" { + tenant_id = "308df08a-1332-4a15-bb06-2ad7e8b71bcf" +} + +# Configure an app +resource "azuread_application" "gzh-app" { + display_name = "gzh-app" + + owners = [data.azuread_client_config.current.object_id] + sign_in_audience = "AzureADMultipleOrgs" + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All + type = "Role" + } + + resource_access { + id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite + type = "Scope" + } + + resource_access { + id = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All + type = "Scope" + } + } + + required_resource_access { + resource_app_id = "c5393580-f805-4401-95e8-94b7a6ef2fc2" # Office 365 Management + + resource_access { + id = "594c1fb6-4f81-4475-ae41-0c394909246c" # ActivityFeed.Read + type = "Role" + } + } + + single_page_application{ + redirect_uris = ["http://localhost:8080/"] + } + + web { + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + +resource "azuread_application_password" "example" { + application_object_id = azuread_application.gzh-app.object_id +} + + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +data "azuread_group" "group1" { + display_name = "group1" + security_enabled = true +} + +# Create a user +resource "azuread_user" "example" { + user_principal_name = "ExampleUser@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "Example User" + password = "Gzh123456@" +} + +resource "azuread_group_member" "group1" { + group_object_id = data.azuread_group.group1.id + member_object_id = azuread_user.example.id +} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf new file mode 100644 index 000000000..5f9b14737 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf @@ -0,0 +1,14 @@ + +output "sp-password" { + value = azuread_application_password.example + sensitive = true +} + + +output "output-user" { + value = azuread_user.example.user_principal_name +} + +output "clientid" { + value = azuread_application.gzh-app.application_id +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.ps1 new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf new file mode 100644 index 000000000..6fe3d961b --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf @@ -0,0 +1,17 @@ +variable "application_name" { + type = string + description = "The name of your application." + default = "keyvault" +} + +variable "location" { + type = string + description = "The Azure region where all resources in this example should be created." + default = "eastus" +} + +variable "sample_tag_value" { + type = string + description = "The value of spring-cloud-azure-sample tag." + default = "true" +} From 8a65bea3d375d5ecab472a0f408cc41f2bc834a3 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 11 Mar 2022 10:57:03 +0800 Subject: [PATCH 02/38] update scripts to support terraform with aad --- .../webflux/oauth2/spring-cloud-gateway.md | 10 +- .../client-access-multiple-resource-server.md | 8 +- .../oauth2/client-access-resource-server.md | 8 +- .../docs/servlet/oauth2/login.md | 6 +- ...k-permissions-by-claims-in-access-token.md | 8 +- ...source-server-support-on-behalf-of-flow.md | 8 +- .../client/src/main/resources/application.yml | 24 +- .../src/main/resources/application.yml | 12 +- .../src/main/resources/application.yml | 10 +- .../src/main/resources/application.yml | 10 +- .../client/src/main/resources/application.yml | 20 +- .../src/main/resources/application.yml | 10 +- .../src/main/resources/application.yml | 6 +- .../client/src/main/resources/application.yml | 16 +- .../src/main/resources/application.yml | 10 +- .../login/src/main/resources/application.yml | 14 +- .../client/src/main/resources/application.yml | 16 +- .../src/main/resources/application.yml | 10 +- .../client/src/main/resources/application.yml | 16 +- .../src/main/resources/application.yml | 14 +- .../src/main/resources/application.yml | 6 +- aad/spring-security/terraform/main.tf | 209 ++++++++++++++++++ aad/spring-security/terraform/outputs.tf | 47 ++++ aad/spring-security/terraform/setup_env.ps1 | 0 aad/spring-security/terraform/setup_env.sh | 23 ++ aad/spring-security/terraform/variables.tf | 24 ++ 26 files changed, 424 insertions(+), 121 deletions(-) create mode 100644 aad/spring-security/terraform/main.tf create mode 100644 aad/spring-security/terraform/outputs.tf create mode 100644 aad/spring-security/terraform/setup_env.ps1 create mode 100644 aad/spring-security/terraform/setup_env.sh create mode 100644 aad/spring-security/terraform/variables.tf diff --git a/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md b/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md index 73e743af0..adbd13f0d 100644 --- a/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md +++ b/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md @@ -33,22 +33,22 @@ Get samples applications from in GitHub: [spring-cloud-gateway](../../../../reac # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant#create-a-new-azure-ad-tenant), create a new tenant. Get the tenant-id: **${TENANT-ID}**. +Read [document about creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant#create-a-new-azure-ad-tenant), create a new tenant. Get the tenant-id: **${TENANT_ID}**. ## 3.2. Add a new user Read [document about adding users](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory), add a new user: **user-1@${tenant-name}.com**. Get the user's password. ## 3.3. Register client-1 -Read [document about registering an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application named **client-1**. Get the client-id: **${CLIENT-1-CLIENT-ID}**. +Read [document about registering an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application named **client-1**. Get the client-id: **${CLIENT_1_CLIENT_ID}**. ## 3.4. Add a client secret for client-1 -Read [document about adding a client secret](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret), add a client secret. Get the client-secret value: **${CLIENT-1-CLIENT-SECRET}**. +Read [document about adding a client secret](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret), add a client secret. Get the client-secret value: **${CLIENT_1_CLIENT_SECRET}**. ## 3.5. Add a redirect URI for client-1 Read [document about adding a redirect URI](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-redirect-uri), add 2 redirect URIs: **http://localhost:8080/login/oauth2/code/client-1-resource-server-1**, **http://localhost:8080/login/oauth2/code/client-1-resource-server-2**. ## 3.6. Register resource-server-1 -Read [document about registering an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application named **resource-server-1**. Get the client-id: **${RESOURCE-SERVER-1-CLIENT-ID}**. +Read [document about registering an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application named **resource-server-1**. Get the client-id: **${RESOURCE_SERVER_1_CLIENT_ID}**. ## 3.7. Expose apis for resource-server-1 Read [document about exposing an api](https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-expose-web-apis), expose 2 scopes for resource-server-1: **resource-server-1.scope-1** and **resource-server-1.scope-2**, choose **Admins and users** for **Who can consent** option. @@ -57,7 +57,7 @@ Read [document about exposing an api](https://docs.microsoft.com/azure/active-di Read [document about Application manifest](https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), set `accessTokenAcceptedVersion` to `2`. ## 3.9. Register resource-server-2 -Read [document about registering an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application named **resource-server-2**. Get the client-id: **${RESOURCE-SERVER-2-CLIENT-ID}**. +Read [document about registering an application](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app), register an application named **resource-server-2**. Get the client-id: **${RESOURCE_SERVER_2_CLIENT_ID}**. ## 3.10. Expose apis for resource-server-2 Read [document about exposing an api](https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-expose-web-apis), expose 2 scopes for resource-server-2: **resource-server-2.scope-1** and **resource-server-2.scope-2**, choose **Admins and users** for **Who can consent** option. diff --git a/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md b/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md index dd941453a..feceffdf9 100644 --- a/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md +++ b/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md @@ -33,22 +33,22 @@ Get samples applications from in GitHub: [client-access-multiple-resource-server # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${tenant-id}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. ## 3.3. Register client-1 -Read [document about registering an application], register an application named **client-1**. Get the client-id: **${client-1-client-id}**. +Read [document about registering an application], register an application named **client-1**. Get the client-id: **${CLIENT_1_CLIENT_ID}**. ## 3.4. Add a client secret for client-1 -Read [document about adding a client secret], add a client secret. Get the client-secret value: **${client-1-client-secret}**. +Read [document about adding a client secret], add a client secret. Get the client-secret value: **${CLIENT_1_CLIENT_SECRET}**. ## 3.5. Add a redirect URI for client-1 Read [document about adding a redirect URI], add redirect URI: **http://localhost:8080/login/oauth2/code/**. ## 3.6. Register resource-server-1 -Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${resource-server-1-client-id}**. +Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${RESOURCE_SERVER_1_CLIENT_ID}**. ## 3.7. Expose apis for resource-server-1 Read [document about exposing an api], expose 2 scopes for resource-server-1: **resource-server-1.scope-1** and **resource-server-1.scope-2**, choose **Admins and users** for **Who can consent** option. diff --git a/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md b/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md index 36a84af17..84e2eca48 100644 --- a/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md +++ b/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md @@ -33,22 +33,22 @@ Get samples applications from in GitHub: [client-access-resource-server]. # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${tenant-id}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. ## 3.3. Register client-1 -Read [document about registering an application], register an application named **client-1**. Get the client-id: **${client-1-client-id}**. +Read [document about registering an application], register an application named **client-1**. Get the client-id: **${CLIENT_1_CLIENT_ID}**. ## 3.4. Add a client secret for client-1 -Read [document about adding a client secret], add a client secret. Get the client-secret value: **${client-1-client-secret}**. +Read [document about adding a client secret], add a client secret. Get the client-secret value: **${CLIENT_1_CLIENT_SECRET}**. ## 3.5. Add a redirect URI for client-1 Read [document about adding a redirect URI], add redirect URI: **http://localhost:8080/login/oauth2/code/**. ## 3.6. Register resource-server-1 -Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${resource-server-1-client-id}**. +Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${RESOURCE_SERVER_1_CLIENT_ID}**. ## 3.7. Expose apis for resource-server-1 Read [document about exposing an api], expose 2 scopes for resource-server-1: **resource-server-1.scope-1** and **resource-server-1.scope-2**, choose **Admins and users** for **Who can consent** option. diff --git a/aad/spring-security/docs/servlet/oauth2/login.md b/aad/spring-security/docs/servlet/oauth2/login.md index 67eefa2db..592f65694 100644 --- a/aad/spring-security/docs/servlet/oauth2/login.md +++ b/aad/spring-security/docs/servlet/oauth2/login.md @@ -27,16 +27,16 @@ Get samples applications from in GitHub: [login]. # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${tenant-id}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. ## 3.3. Register client-1 -Read [document about registering an application], register an application named **client-1**. Get the client-id: **${client-1-client-id}**. +Read [document about registering an application], register an application named **client-1**. Get the client-id: **${CLIENT_1_CLIENT_ID}**. ## 3.4. Add a client secret for client-1 -Read [document about adding a client secret], add a client secret. Get the client-secret value: **${client-1-client-secret}**. +Read [document about adding a client secret], add a client secret. Get the client-secret value: **${CLIENT_1_CLIENT_SECRET}**. ## 3.5. Add a redirect URI for client-1 Read [document about adding a redirect URI], add redirect URI: **http://localhost:8080/login/oauth2/code/**. diff --git a/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md b/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md index eec10b97e..a039b2ff3 100644 --- a/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md +++ b/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md @@ -35,22 +35,22 @@ Get samples applications from in GitHub: [resource-server-check-permissions-by-c # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${tenant-id}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. ## 3.3. Register client-1 -Read [document about registering an application], register an application named **client-1**. Get the client-id: **${client-1-client-id}**. +Read [document about registering an application], register an application named **client-1**. Get the client-id: **${CLIENT_1_CLIENT_ID}**. ## 3.4. Add a client secret for client-1 -Read [document about adding a client secret], add a client secret. Get the client-secret value: **${client-1-client-secret}**. +Read [document about adding a client secret], add a client secret. Get the client-secret value: **${CLIENT_1_CLIENT_SECRET}**. ## 3.5. Add a redirect URI for client-1 Read [document about adding a redirect URI], add redirect URI: **http://localhost:8080/login/oauth2/code/**. ## 3.6. Register resource-server-1 -Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${resource-server-1-client-id}**. +Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${RESOURCE_SERVER_1_CLIENT_ID}**. ## 3.7. Expose apis for resource-server-1 Read [document about exposing an api], expose 2 scopes for resource-server-1: **resource-server-1.scope-1** and **resource-server-1.scope-2**, choose **Admins and users** for **Who can consent** option. diff --git a/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md b/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md index 460bf3b87..0a1cb41a3 100644 --- a/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md +++ b/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md @@ -40,22 +40,22 @@ Get samples applications from in GitHub: [resource-server-support-on-behalf-of-f # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${tenant-id}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. ## 3.3. Register client-1 -Read [document about registering an application], register an application named **client-1**. Get the client-id: **${client-1-client-id}**. +Read [document about registering an application], register an application named **client-1**. Get the client-id: **${CLIENT_1_CLIENT_ID}**. ## 3.4. Add a client secret for client-1 -Read [document about adding a client secret], add a client secret. Get the client-secret value: **${client-1-client-secret}**. +Read [document about adding a client secret], add a client secret. Get the client-secret value: **${CLIENT_1_CLIENT_SECRET}**. ## 3.5. Add a redirect URI for client-1 Read [document about adding a redirect URI], add redirect URI: **http://localhost:8080/login/oauth2/code/**. ## 3.6. Register resource-server-1 -Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${resource-server-1-client-id}**. +Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${RESOURCE_SERVER_1_CLIENT_ID}**. ## 3.7. Add a client secret for resource-server-1 Read [document about adding a client secret], add a client secret. Get the client-secret value: **${resource-server-1-client-secret}**. diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/client/src/main/resources/application.yml b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/client/src/main/resources/application.yml index 3406730fb..c14e17540 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/client/src/main/resources/application.yml +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/client/src/main/resources/application.yml @@ -1,9 +1,9 @@ # Please fill these placeholders before running this application: -# 1. ${TENANT-ID} -# 2. ${CLIENT-1-CLIENT-ID} -# 3. ${CLIENT-1-CLIENT-SECRET} -# 4. ${RESOURCE-SERVER-1-CLIENT-ID} -# 5. ${RESOURCE-SERVER-2-CLIENT-ID} +# 1. ${TENANT_ID} +# 2. ${CLIENT_1_CLIENT_ID} +# 3. ${CLIENT_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} +# 5. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -16,20 +16,20 @@ spring: client: provider: # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-common-oauth2-provider azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${TENANT-ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration user-name-attribute: name registration: client-1-resource-server-1: provider: azure-active-directory client-name: client-1-resource-server-1 - client-id: ${CLIENT-1-CLIENT-ID} - client-secret: ${CLIENT-1-CLIENT-SECRET} - scope: api://${RESOURCE-SERVER-1-CLIENT-ID}/resource-server-1.scope-1 + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} + scope: api://${RESOURCE_SERVER_1_CLIENT_ID}/resource-server-1.scope-1 client-1-resource-server-2: provider: azure-active-directory client-name: client-1-resource-server-2 - client-id: ${CLIENT-1-CLIENT-ID} - client-secret: ${CLIENT-1-CLIENT-SECRET} - scope: api://${RESOURCE-SERVER-2-CLIENT-ID}/resource-server-2.scope-1 + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} + scope: api://${RESOURCE_SERVER_2_CLIENT_ID}/resource-server-2.scope-1 profiles: active: develop diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/gateway/src/main/resources/application.yml b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/gateway/src/main/resources/application.yml index d66ee190f..3fa0ec97f 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/gateway/src/main/resources/application.yml +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/gateway/src/main/resources/application.yml @@ -1,7 +1,7 @@ # Please fill these placeholders before running this application: -# 1. ${TENANT-ID} -# 4. ${RESOURCE-SERVER-1-CLIENT-ID} -# 5. ${RESOURCE-SERVER-2-CLIENT-ID} +# 1. ${TENANT_ID} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} +# 5. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -26,8 +26,8 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${TENANT-ID}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${TENANT-ID}/v2.0 - audiences: ${RESOURCE-SERVER-1-CLIENT-ID}, ${RESOURCE-SERVER-2-CLIENT-ID} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audiences: ${RESOURCE_SERVER_1_CLIENT_ID}, ${RESOURCE_SERVER_2_CLIENT_ID} profiles: active: develop diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-1/src/main/resources/application.yml b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-1/src/main/resources/application.yml index 16d9a9986..ae4cd6424 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-1/src/main/resources/application.yml +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-1/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: -# 1. ${TENANT-ID} -# 2. ${RESOURCE-SERVER-1-CLIENT-ID} +# 1. ${TENANT_ID} +# 2. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -12,8 +12,8 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${TENANT-ID}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${TENANT-ID}/v2.0 - audiences: ${RESOURCE-SERVER-1-CLIENT-ID} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audiences: ${RESOURCE_SERVER_1_CLIENT_ID} profiles: active: develop diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-2/src/main/resources/application.yml b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-2/src/main/resources/application.yml index a617cfdd2..f4a1e0ada 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-2/src/main/resources/application.yml +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/resource-server-2/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: -# 1. ${TENANT-ID} -# 2. ${RESOURCE-SERVER-2-CLIENT-ID} +# 1. ${TENANT_ID} +# 2. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -12,8 +12,8 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${TENANT-ID}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${TENANT-ID}/v2.0 - audiences: ${RESOURCE-SERVER-2-CLIENT-ID} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audiences: ${RESOURCE_SERVER_2_CLIENT_ID} profiles: active: develop diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml index 0fdb69b9f..a4dc73d4d 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml @@ -1,8 +1,8 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${client-1-client-id} -# 3. ${client-1-client-secret} -# 4. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${CLIENT_1_CLIENT_ID} +# 3. ${CLIENT_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} # 5. ${resource-server-2-client-id} logging: @@ -16,21 +16,21 @@ spring: client: provider: # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-common-oauth2-provider azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration user-name-attribute: name registration: client-1-resource-server-1: provider: azure-active-directory client-name: client-1-resource-server-1 - client-id: ${client-1-client-id} - client-secret: ${client-1-client-secret} - scope: openid, profile, api://${resource-server-1-client-id}/resource-server-1.scope-1 # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} + scope: openid, profile, api://${RESOURCE_SERVER_1_CLIENT_ID}/resource-server-1.scope-1 # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes redirect-uri: http://localhost:8080/login/oauth2/code/ client-1-resource-server-2: provider: azure-active-directory client-name: client-1-resource-server-2 - client-id: ${client-1-client-id} - client-secret: ${client-1-client-secret} + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} scope: openid, profile, api://${resource-server-2-client-id}/resource-server-2.scope-1 # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes redirect-uri: http://localhost:8080/login/oauth2/code/ profiles: diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-1/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-1/src/main/resources/application.yml index 6ce0ddb6c..611491f16 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-1/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-1/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -12,6 +12,6 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${tenant-id}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 - audience: ${resource-server-1-client-id} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audience: ${RESOURCE_SERVER_1_CLIENT_ID} diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml index 33386397e..2d9fdf090 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml @@ -1,5 +1,5 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} +# 1. ${TENANT_ID} # 2. ${resource-server-2-client-id} logging: @@ -12,6 +12,6 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${tenant-id}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 audience: ${resource-server-2-client-id} diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/client/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-resource-server/client/src/main/resources/application.yml index 103320817..4ae27bfdd 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/client/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/client/src/main/resources/application.yml @@ -1,8 +1,8 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${client-1-client-id} -# 3. ${client-1-client-secret} -# 4. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${CLIENT_1_CLIENT_ID} +# 3. ${CLIENT_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -15,12 +15,12 @@ spring: client: provider: # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-common-oauth2-provider azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration user-name-attribute: name registration: client-1-resource-server-1: provider: azure-active-directory - client-id: ${client-1-client-id} - client-secret: ${client-1-client-secret} - scope: openid, profile, offline_access, api://${resource-server-1-client-id}/resource-server-1.scope-1, # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} + scope: openid, profile, offline_access, api://${RESOURCE_SERVER_1_CLIENT_ID}/resource-server-1.scope-1, # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes redirect-uri: http://localhost:8080/login/oauth2/code/ diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/resource-server/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-resource-server/resource-server/src/main/resources/application.yml index 6ce0ddb6c..611491f16 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/resource-server/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/resource-server/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -12,6 +12,6 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${tenant-id}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 - audience: ${resource-server-1-client-id} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audience: ${RESOURCE_SERVER_1_CLIENT_ID} diff --git a/aad/spring-security/servlet/oauth2/login/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/login/src/main/resources/application.yml index 04d2b3d8f..babd0f3c8 100644 --- a/aad/spring-security/servlet/oauth2/login/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/login/src/main/resources/application.yml @@ -1,8 +1,8 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${client-1-client-id} -# 3. ${client-1-client-secret} -# 4. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${CLIENT_1_CLIENT_ID} +# 3. ${CLIENT_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -15,12 +15,12 @@ spring: client: provider: # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-common-oauth2-provider azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration registration: client-1: provider: azure-active-directory - client-id: ${client-1-client-id} - client-secret: ${client-1-client-secret} + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} scope: openid, profile redirect-uri: http://localhost:8080/login/oauth2/code/ profiles: diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/client/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/client/src/main/resources/application.yml index 103320817..4ae27bfdd 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/client/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/client/src/main/resources/application.yml @@ -1,8 +1,8 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${client-1-client-id} -# 3. ${client-1-client-secret} -# 4. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${CLIENT_1_CLIENT_ID} +# 3. ${CLIENT_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -15,12 +15,12 @@ spring: client: provider: # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-common-oauth2-provider azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration user-name-attribute: name registration: client-1-resource-server-1: provider: azure-active-directory - client-id: ${client-1-client-id} - client-secret: ${client-1-client-secret} - scope: openid, profile, offline_access, api://${resource-server-1-client-id}/resource-server-1.scope-1, # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} + scope: openid, profile, offline_access, api://${RESOURCE_SERVER_1_CLIENT_ID}/resource-server-1.scope-1, # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes redirect-uri: http://localhost:8080/login/oauth2/code/ diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/resource-server/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/resource-server/src/main/resources/application.yml index 6ce0ddb6c..611491f16 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/resource-server/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/resource-server/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -12,6 +12,6 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${tenant-id}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 - audience: ${resource-server-1-client-id} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audience: ${RESOURCE_SERVER_1_CLIENT_ID} diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/client/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/client/src/main/resources/application.yml index 103320817..4ae27bfdd 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/client/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/client/src/main/resources/application.yml @@ -1,8 +1,8 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${client-1-client-id} -# 3. ${client-1-client-secret} -# 4. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${CLIENT_1_CLIENT_ID} +# 3. ${CLIENT_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_1_CLIENT_ID} logging: level: @@ -15,12 +15,12 @@ spring: client: provider: # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-common-oauth2-provider azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration user-name-attribute: name registration: client-1-resource-server-1: provider: azure-active-directory - client-id: ${client-1-client-id} - client-secret: ${client-1-client-secret} - scope: openid, profile, offline_access, api://${resource-server-1-client-id}/resource-server-1.scope-1, # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes + client-id: ${CLIENT_1_CLIENT_ID} + client-secret: ${CLIENT_1_CLIENT_SECRET} + scope: openid, profile, offline_access, api://${RESOURCE_SERVER_1_CLIENT_ID}/resource-server-1.scope-1, # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes redirect-uri: http://localhost:8080/login/oauth2/code/ diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml index 9acaf9a60..552b6ca59 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} -# 2. ${resource-server-1-client-id} +# 1. ${TENANT_ID} +# 2. ${RESOURCE_SERVER_1_CLIENT_ID} # 3. ${resource-server-1-client-secret} # 4. ${resource-server-2-client-id} @@ -15,16 +15,16 @@ spring: client: provider: azure-active-directory: - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 # Refs: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-openid-provider-configuration registration: resource-server-1-resource-server-2: provider: azure-active-directory - client-id: ${resource-server-1-client-id} + client-id: ${RESOURCE_SERVER_1_CLIENT_ID} client-secret: ${resource-server-1-client-secret} authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer scope: api://${resource-server-2-client-id}/resource-server-2.scope-1 resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${tenant-id}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 - audience: ${resource-server-1-client-id} + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 + audience: ${RESOURCE_SERVER_1_CLIENT_ID} diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml index 33386397e..2d9fdf090 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml @@ -1,5 +1,5 @@ # Please fill these placeholders before running this application: -# 1. ${tenant-id} +# 1. ${TENANT_ID} # 2. ${resource-server-2-client-id} logging: @@ -12,6 +12,6 @@ spring: oauth2: resourceserver: jwt: - jwk-set-uri: https://login.microsoftonline.com/${tenant-id}/discovery/v2.0/keys - issuer-uri: https://login.microsoftonline.com/${tenant-id}/v2.0 + jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys + issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 audience: ${resource-server-2-client-id} diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf new file mode 100644 index 000000000..5c88ebcb7 --- /dev/null +++ b/aad/spring-security/terraform/main.tf @@ -0,0 +1,209 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + } +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { + tenant_id = var.tenant_id +} + + +# Configure client-1 +resource "azuread_application" "client-1" { + display_name = "client-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-2"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + +# Configure resource-server-2 +resource "azuread_application" "resource-server-2" { + display_name = "resource-server-2" + # identifier_uris = [data.azuread_application.resource-server-2.application_id] + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-1" + admin_consent_display_name = "resource-server-2.scope-1" + enabled = true + id = "96183846-204b-4b43-82e1-5d2222eb4b9b" + type = "User" + value = "resource-server-2.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-2" + admin_consent_display_name = "resource-server-2.scope-2" + enabled = true + id = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc" + type = "User" + value = "resource-server-2.scope-2" + } + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + + +# Configure resource-server-1 +resource "azuread_application" "resource-server-1" { + display_name = "resource-server-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-1" + admin_consent_display_name = "resource-server-1.scope-1" + enabled = true + id = "96183846-201b-4a43-82e1-5d2222eb4b9b" + type = "User" + value = "resource-server-1.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-2" + admin_consent_display_name = "resource-server-1.scope-2" + enabled = true + id = "be98fa3e-ab5d-4b11-83d9-04ba9b7946bc" + type = "User" + value = "resource-server-1.scope-2" + } + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-2" + display_name = "resource-server-1-role-2" + enabled = true + id = "1b19509b-32b1-4e9f-b73d-4992aa991967" + value = "resource-server-1-role-2" + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-1" + display_name = "resource-server-1-role-1" + enabled = true + id = "497406e4-912a-4267-bf18-45a1cb148a01" + value = "resource-server-1-role-1" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + + resource_access { + id = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc" # resource-server-2.scope-2 + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + } +} + + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-1" { + application_id = azuread_application.resource-server-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-2" { + application_id = azuread_application.resource-server-2.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +resource "azuread_application_password" "resource-server-1" { + application_object_id = azuread_application.resource-server-1.object_id +} + + + + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "newuser" { + user_principal_name = "security@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Ms@123456" +} + diff --git a/aad/spring-security/terraform/outputs.tf b/aad/spring-security/terraform/outputs.tf new file mode 100644 index 000000000..8aeb2263f --- /dev/null +++ b/aad/spring-security/terraform/outputs.tf @@ -0,0 +1,47 @@ + + + +#CLIENT-1-CLIENT-ID +#CLIENT-1-CLIENT-SECRET +#RESOURCE-SERVER-1-CLIENT-ID +#RESOURCE-SERVER-1-CLIENT-SECRET +#RESOURCE-SERVER-2-CLIENT-ID +#TENANT-ID +#user.email +#user.password + + +output "TENANT_ID" { + value = var.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + +output "RESOURCE_SERVER_1_CLIENT_ID" { + value = azuread_application.resource-server-1.application_id +} + +output "RESOURCE_SERVER_2_CLIENT_ID" { + value = azuread_application.resource-server-2.application_id +} + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + +output "RESOURCE_SERVER_1_CLIENT_SECRET" { + value = azuread_application_password.resource-server-1.value + sensitive = true +} + +output "newuser_password" { + value = azuread_user.newuser.password + sensitive = true +} + +output "newuser_user_principal_name" { + value = azuread_user.newuser.user_principal_name +} \ No newline at end of file diff --git a/aad/spring-security/terraform/setup_env.ps1 b/aad/spring-security/terraform/setup_env.ps1 new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-security/terraform/setup_env.sh b/aad/spring-security/terraform/setup_env.sh new file mode 100644 index 000000000..7c803a0f6 --- /dev/null +++ b/aad/spring-security/terraform/setup_env.sh @@ -0,0 +1,23 @@ + +export TENANT_ID=$(terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) + + + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET + + + + + + + diff --git a/aad/spring-security/terraform/variables.tf b/aad/spring-security/terraform/variables.tf new file mode 100644 index 000000000..b81217171 --- /dev/null +++ b/aad/spring-security/terraform/variables.tf @@ -0,0 +1,24 @@ +variable "application_name" { + type = string + description = "The name of your application." + default = "keyvault" +} + +variable "location" { + type = string + description = "The Azure region where all resources in this example should be created." + default = "eastus" +} + +variable "sample_tag_value" { + type = string + description = "The value of spring-cloud-azure-sample tag." + default = "true" +} + +# 308df08a-1332-4a15-bb06-2ad7e8b71bcf +variable "tenant_id" { + type = string + description = "The tenant id." + default = "308df08a-1332-4a15-bb06-2ad7e8b71bcf" +} \ No newline at end of file From 5a93358eb69bf01f5a68083bab21062c3a2f3bae Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 11 Mar 2022 14:27:46 +0800 Subject: [PATCH 03/38] - update scripts with random_uuid - add support for grant consent --- .../client-access-multiple-resource-server.md | 2 +- ...source-server-support-on-behalf-of-flow.md | 4 +- .../client/src/main/resources/application.yml | 4 +- .../src/main/resources/application.yml | 4 +- .../src/main/resources/application.yml | 8 ++-- .../src/main/resources/application.yml | 4 +- aad/spring-security/terraform/main.tf | 44 ++++++++++++++++--- 7 files changed, 50 insertions(+), 20 deletions(-) diff --git a/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md b/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md index feceffdf9..b0cbc759f 100644 --- a/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md +++ b/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md @@ -57,7 +57,7 @@ Read [document about exposing an api], expose 2 scopes for resource-server-1: ** Read [document about Application manifest], set `accessTokenAcceptedVersion` to `2`. ## 3.9. Register resource-server-2 -Read [document about registering an application], register an application named **resource-server-2**. Get the client-id: **${resource-server-2-client-id}**. +Read [document about registering an application], register an application named **resource-server-2**. Get the client-id: **${RESOURCE_SERVER_2_CLIENT_ID}**. ## 3.10. Expose apis for resource-server-2 Read [document about exposing an api], expose 2 scopes for resource-server-2: **resource-server-2.scope-1** and **resource-server-2.scope-2**, choose **Admins and users** for **Who can consent** option. diff --git a/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md b/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md index 0a1cb41a3..73d34b49a 100644 --- a/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md +++ b/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md @@ -58,7 +58,7 @@ Read [document about adding a redirect URI], add redirect URI: **http://localhos Read [document about registering an application], register an application named **resource-server-1**. Get the client-id: **${RESOURCE_SERVER_1_CLIENT_ID}**. ## 3.7. Add a client secret for resource-server-1 -Read [document about adding a client secret], add a client secret. Get the client-secret value: **${resource-server-1-client-secret}**. +Read [document about adding a client secret], add a client secret. Get the client-secret value: **${RESOURCE_SERVER_1_CLIENT_SECRET}**. ## 3.8. Add a redirect URI for resource-server-1 Read [document about adding a redirect URI], add redirect URI: **http://localhost:8080/login/oauth2/code/**. @@ -70,7 +70,7 @@ Read [document about exposing an api], expose 2 scopes for resource-server-1: ** Read [document about Application manifest], set `accessTokenAcceptedVersion` to `2`. ## 3.11. Register resource-server-2 -Read [document about registering an application], register an application named **resource-server-2**. Get the client-id: **${resource-server-2-client-id}**. +Read [document about registering an application], register an application named **resource-server-2**. Get the client-id: **${RESOURCE_SERVER_2_CLIENT_ID}**. ## 3.12. Expose apis for resource-server-2 Read [document about exposing an api], expose 2 scopes for resource-server-2: **resource-server-2.scope-1** and **resource-server-2.scope-2**, choose **Admins and users** for **Who can consent** option. diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml index a4dc73d4d..1ab9538d3 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/client/src/main/resources/application.yml @@ -3,7 +3,7 @@ # 2. ${CLIENT_1_CLIENT_ID} # 3. ${CLIENT_1_CLIENT_SECRET} # 4. ${RESOURCE_SERVER_1_CLIENT_ID} -# 5. ${resource-server-2-client-id} +# 5. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -31,7 +31,7 @@ spring: client-name: client-1-resource-server-2 client-id: ${CLIENT_1_CLIENT_ID} client-secret: ${CLIENT_1_CLIENT_SECRET} - scope: openid, profile, api://${resource-server-2-client-id}/resource-server-2.scope-1 # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes + scope: openid, profile, api://${RESOURCE_SERVER_2_CLIENT_ID}/resource-server-2.scope-1 # Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes redirect-uri: http://localhost:8080/login/oauth2/code/ profiles: active: develop diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml index 2d9fdf090..0f4c1cb8f 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/resource-server-2/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: # 1. ${TENANT_ID} -# 2. ${resource-server-2-client-id} +# 2. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -14,4 +14,4 @@ spring: jwt: jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 - audience: ${resource-server-2-client-id} + audience: ${RESOURCE_SERVER_2_CLIENT_ID} diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml index 552b6ca59..70445d6f2 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-1/src/main/resources/application.yml @@ -1,8 +1,8 @@ # Please fill these placeholders before running this application: # 1. ${TENANT_ID} # 2. ${RESOURCE_SERVER_1_CLIENT_ID} -# 3. ${resource-server-1-client-secret} -# 4. ${resource-server-2-client-id} +# 3. ${RESOURCE_SERVER_1_CLIENT_SECRET} +# 4. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -20,9 +20,9 @@ spring: resource-server-1-resource-server-2: provider: azure-active-directory client-id: ${RESOURCE_SERVER_1_CLIENT_ID} - client-secret: ${resource-server-1-client-secret} + client-secret: ${RESOURCE_SERVER_1_CLIENT_SECRET} authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer - scope: api://${resource-server-2-client-id}/resource-server-2.scope-1 + scope: api://${RESOURCE_SERVER_2_CLIENT_ID}/resource-server-2.scope-1 resourceserver: jwt: jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml index 2d9fdf090..0f4c1cb8f 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/resource-server-2/src/main/resources/application.yml @@ -1,6 +1,6 @@ # Please fill these placeholders before running this application: # 1. ${TENANT_ID} -# 2. ${resource-server-2-client-id} +# 2. ${RESOURCE_SERVER_2_CLIENT_ID} logging: level: @@ -14,4 +14,4 @@ spring: jwt: jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0 - audience: ${resource-server-2-client-id} + audience: ${RESOURCE_SERVER_2_CLIENT_ID} diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index 5c88ebcb7..cdeb43f17 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -4,9 +4,31 @@ terraform { source = "hashicorp/azuread" version = "~> 2.15.0" } + random = { + source = "hashicorp/random" + version = "3.1.0" + } } } +resource "random_uuid" "resource-server-1-scope-1" { +} + +resource "random_uuid" "resource-server-1-scope-2" { +} + +resource "random_uuid" "resource-server-2-scope-1" { +} + +resource "random_uuid" "resource-server-2-scope-2" { +} + +resource "random_uuid" "resource-server-1-role-1" { +} + +resource "random_uuid" "resource-server-1-role-2" { +} + data "azuread_client_config" "current" {} # Configure the Azure Active Directory Provider @@ -51,6 +73,7 @@ resource "azuread_application" "client-1" { # Configure resource-server-2 resource "azuread_application" "resource-server-2" { + identifier_uris = ["api://resource-2"] display_name = "resource-server-2" # identifier_uris = [data.azuread_application.resource-server-2.application_id] @@ -65,7 +88,7 @@ resource "azuread_application" "resource-server-2" { admin_consent_description = "resource-server-2.scope-1" admin_consent_display_name = "resource-server-2.scope-1" enabled = true - id = "96183846-204b-4b43-82e1-5d2222eb4b9b" + id = "${random_uuid.resource-server-2-scope-1.result}" type = "User" value = "resource-server-2.scope-1" } @@ -74,7 +97,7 @@ resource "azuread_application" "resource-server-2" { admin_consent_description = "resource-server-2.scope-2" admin_consent_display_name = "resource-server-2.scope-2" enabled = true - id = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc" + id = "${random_uuid.resource-server-2-scope-2.result}" type = "User" value = "resource-server-2.scope-2" } @@ -94,6 +117,7 @@ resource "azuread_application" "resource-server-2" { # Configure resource-server-1 resource "azuread_application" "resource-server-1" { display_name = "resource-server-1" + identifier_uris = ["api://resource-1"] owners = [data.azuread_client_config.current.object_id] # single tenant @@ -106,7 +130,7 @@ resource "azuread_application" "resource-server-1" { admin_consent_description = "resource-server-1.scope-1" admin_consent_display_name = "resource-server-1.scope-1" enabled = true - id = "96183846-201b-4a43-82e1-5d2222eb4b9b" + id = "${random_uuid.resource-server-1-scope-1.result}" type = "User" value = "resource-server-1.scope-1" } @@ -115,7 +139,7 @@ resource "azuread_application" "resource-server-1" { admin_consent_description = "resource-server-1.scope-2" admin_consent_display_name = "resource-server-1.scope-2" enabled = true - id = "be98fa3e-ab5d-4b11-83d9-04ba9b7946bc" + id = "${random_uuid.resource-server-1-scope-2.result}" type = "User" value = "resource-server-1.scope-2" } @@ -126,7 +150,7 @@ resource "azuread_application" "resource-server-1" { description = "resource-server-1-role-2" display_name = "resource-server-1-role-2" enabled = true - id = "1b19509b-32b1-4e9f-b73d-4992aa991967" + id = "${random_uuid.resource-server-1-role-2.result}" value = "resource-server-1-role-2" } @@ -135,7 +159,7 @@ resource "azuread_application" "resource-server-1" { description = "resource-server-1-role-1" display_name = "resource-server-1-role-1" enabled = true - id = "497406e4-912a-4267-bf18-45a1cb148a01" + id = "${random_uuid.resource-server-1-role-1.result}" value = "resource-server-1-role-1" } @@ -151,8 +175,9 @@ resource "azuread_application" "resource-server-1" { required_resource_access { resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + # need grant resource_access { - id = "be98fa3e-ab5b-4b11-83d9-04ba2b7946bc" # resource-server-2.scope-2 + id = "${random_uuid.resource-server-2-scope-1.result}" # resource-server-2.scope-1 type = "Scope" } } @@ -162,6 +187,11 @@ resource "azuread_application" "resource-server-1" { } } +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.resource-server-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id + claim_values = ["resource-server-2.scope-1"] +} resource "azuread_service_principal" "client-1" { application_id = azuread_application.client-1.application_id From d517201b2271cf6aa459dda73f88718d0edbe2bc Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 11 Mar 2022 14:40:42 +0800 Subject: [PATCH 04/38] - remove identifier_uris --- aad/spring-security/terraform/main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index cdeb43f17..fac4c57dc 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -73,9 +73,7 @@ resource "azuread_application" "client-1" { # Configure resource-server-2 resource "azuread_application" "resource-server-2" { - identifier_uris = ["api://resource-2"] display_name = "resource-server-2" - # identifier_uris = [data.azuread_application.resource-server-2.application_id] owners = [data.azuread_client_config.current.object_id] # single tenant @@ -117,7 +115,6 @@ resource "azuread_application" "resource-server-2" { # Configure resource-server-1 resource "azuread_application" "resource-server-1" { display_name = "resource-server-1" - identifier_uris = ["api://resource-1"] owners = [data.azuread_client_config.current.object_id] # single tenant From 0e11d61d981cf52c8c39efb7cd54ff46c72c8e94 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 11 Mar 2022 15:30:37 +0800 Subject: [PATCH 05/38] update sh to set identifier_uris --- aad/spring-security/terraform/main.tf | 2 -- aad/spring-security/terraform/outputs.tf | 6 +++--- aad/spring-security/terraform/setup_env.sh | 7 ++++--- aad/spring-security/terraform/variables.tf | 7 ------- 4 files changed, 7 insertions(+), 15 deletions(-) diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index fac4c57dc..0c8697083 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -33,10 +33,8 @@ data "azuread_client_config" "current" {} # Configure the Azure Active Directory Provider provider "azuread" { - tenant_id = var.tenant_id } - # Configure client-1 resource "azuread_application" "client-1" { display_name = "client-1" diff --git a/aad/spring-security/terraform/outputs.tf b/aad/spring-security/terraform/outputs.tf index 8aeb2263f..8d6a74056 100644 --- a/aad/spring-security/terraform/outputs.tf +++ b/aad/spring-security/terraform/outputs.tf @@ -12,7 +12,7 @@ output "TENANT_ID" { - value = var.tenant_id + value = data.azuread_client_config.current.tenant_id } output "CLIENT_1_CLIENT_ID" { @@ -37,11 +37,11 @@ output "RESOURCE_SERVER_1_CLIENT_SECRET" { sensitive = true } -output "newuser_password" { +output "user_password" { value = azuread_user.newuser.password sensitive = true } -output "newuser_user_principal_name" { +output "user_principal_name" { value = azuread_user.newuser.user_principal_name } \ No newline at end of file diff --git a/aad/spring-security/terraform/setup_env.sh b/aad/spring-security/terraform/setup_env.sh index 7c803a0f6..9f6e64d6e 100644 --- a/aad/spring-security/terraform/setup_env.sh +++ b/aad/spring-security/terraform/setup_env.sh @@ -1,4 +1,3 @@ - export TENANT_ID=$(terraform output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) @@ -6,8 +5,6 @@ export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLI export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) - - echo TENANT_ID=$TENANT_ID echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID @@ -15,6 +12,10 @@ echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +# set identifier_uris +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + diff --git a/aad/spring-security/terraform/variables.tf b/aad/spring-security/terraform/variables.tf index b81217171..6fe3d961b 100644 --- a/aad/spring-security/terraform/variables.tf +++ b/aad/spring-security/terraform/variables.tf @@ -15,10 +15,3 @@ variable "sample_tag_value" { description = "The value of spring-cloud-azure-sample tag." default = "true" } - -# 308df08a-1332-4a15-bb06-2ad7e8b71bcf -variable "tenant_id" { - type = string - description = "The tenant id." - default = "308df08a-1332-4a15-bb06-2ad7e8b71bcf" -} \ No newline at end of file From 7324e7a82a685fe0bbcc4af0bbf0b2f772ccc742 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 11 Mar 2022 16:18:02 +0800 Subject: [PATCH 06/38] update scripts --- .../oauth2/spring-cloud-gateway/run_all.sh | 14 ++++++ aad/spring-security/terraform/main.tf | 47 +++++++++++-------- aad/spring-security/terraform/outputs.tf | 6 +-- .../terraform/set_identifier_uris.sh | 9 ++++ aad/spring-security/terraform/setup_env.sh | 11 ----- 5 files changed, 54 insertions(+), 33 deletions(-) create mode 100644 aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh create mode 100644 aad/spring-security/terraform/set_identifier_uris.sh diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh new file mode 100644 index 000000000..e35eeedab --- /dev/null +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + + +echo "Running apps" +mkdir -p target +nohup java -jar client/target/*.jar > target/client.log 2>&1 & +nohup java -jar gateway/target/*.jar > target/gateway.log 2>&1 & +nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & +nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & +echo "All apps started" +tail -f target/client.log -f target/gateway.log -f target/resource-server-1.log -f target/resource-server-2.log + +# you can kill the process with port +# kill -9 $(lsof -t -i tcp:) \ No newline at end of file diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index 0c8697083..7baa79e5c 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -5,7 +5,11 @@ terraform { version = "~> 2.15.0" } random = { - source = "hashicorp/random" + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" version = "3.1.0" } } @@ -37,9 +41,9 @@ provider "azuread" { # Configure client-1 resource "azuread_application" "client-1" { - display_name = "client-1" + display_name = "client-1" - owners = [data.azuread_client_config.current.object_id] + owners = [data.azuread_client_config.current.object_id] # single tenant sign_in_audience = "AzureADMyOrg" @@ -58,7 +62,7 @@ resource "azuread_application" "client-1" { web { redirect_uris = ["http://localhost:8080/login/oauth2/code/", - "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", "http://localhost:8080/login/oauth2/code/client-1-resource-server-2"] implicit_grant { @@ -71,9 +75,9 @@ resource "azuread_application" "client-1" { # Configure resource-server-2 resource "azuread_application" "resource-server-2" { - display_name = "resource-server-2" + display_name = "resource-server-2" - owners = [data.azuread_client_config.current.object_id] + owners = [data.azuread_client_config.current.object_id] # single tenant sign_in_audience = "AzureADMyOrg" @@ -84,7 +88,7 @@ resource "azuread_application" "resource-server-2" { admin_consent_description = "resource-server-2.scope-1" admin_consent_display_name = "resource-server-2.scope-1" enabled = true - id = "${random_uuid.resource-server-2-scope-1.result}" + id = random_uuid.resource-server-2-scope-1.result type = "User" value = "resource-server-2.scope-1" } @@ -93,7 +97,7 @@ resource "azuread_application" "resource-server-2" { admin_consent_description = "resource-server-2.scope-2" admin_consent_display_name = "resource-server-2.scope-2" enabled = true - id = "${random_uuid.resource-server-2-scope-2.result}" + id = random_uuid.resource-server-2-scope-2.result type = "User" value = "resource-server-2.scope-2" } @@ -112,9 +116,9 @@ resource "azuread_application" "resource-server-2" { # Configure resource-server-1 resource "azuread_application" "resource-server-1" { - display_name = "resource-server-1" + display_name = "resource-server-1" - owners = [data.azuread_client_config.current.object_id] + owners = [data.azuread_client_config.current.object_id] # single tenant sign_in_audience = "AzureADMyOrg" @@ -125,7 +129,7 @@ resource "azuread_application" "resource-server-1" { admin_consent_description = "resource-server-1.scope-1" admin_consent_display_name = "resource-server-1.scope-1" enabled = true - id = "${random_uuid.resource-server-1-scope-1.result}" + id = random_uuid.resource-server-1-scope-1.result type = "User" value = "resource-server-1.scope-1" } @@ -134,7 +138,7 @@ resource "azuread_application" "resource-server-1" { admin_consent_description = "resource-server-1.scope-2" admin_consent_display_name = "resource-server-1.scope-2" enabled = true - id = "${random_uuid.resource-server-1-scope-2.result}" + id = random_uuid.resource-server-1-scope-2.result type = "User" value = "resource-server-1.scope-2" } @@ -145,7 +149,7 @@ resource "azuread_application" "resource-server-1" { description = "resource-server-1-role-2" display_name = "resource-server-1-role-2" enabled = true - id = "${random_uuid.resource-server-1-role-2.result}" + id = random_uuid.resource-server-1-role-2.result value = "resource-server-1-role-2" } @@ -154,7 +158,7 @@ resource "azuread_application" "resource-server-1" { description = "resource-server-1-role-1" display_name = "resource-server-1-role-1" enabled = true - id = "${random_uuid.resource-server-1-role-1.result}" + id = random_uuid.resource-server-1-role-1.result value = "resource-server-1-role-1" } @@ -172,7 +176,7 @@ resource "azuread_application" "resource-server-1" { # need grant resource_access { - id = "${random_uuid.resource-server-2-scope-1.result}" # resource-server-2.scope-1 + id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 type = "Scope" } } @@ -207,7 +211,6 @@ resource "azuread_service_principal" "resource-server-2" { } - resource "azuread_application_password" "client-1" { application_object_id = azuread_application.client-1.object_id } @@ -217,9 +220,6 @@ resource "azuread_application_password" "resource-server-1" { application_object_id = azuread_application.resource-server-1.object_id } - - - # Retrieve domain information data "azuread_domains" "example" { only_initial = true @@ -232,3 +232,12 @@ resource "azuread_user" "newuser" { password = "Ms@123456" } +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.resource-server-1.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} \ No newline at end of file diff --git a/aad/spring-security/terraform/outputs.tf b/aad/spring-security/terraform/outputs.tf index 8d6a74056..30c75f5df 100644 --- a/aad/spring-security/terraform/outputs.tf +++ b/aad/spring-security/terraform/outputs.tf @@ -28,17 +28,17 @@ output "RESOURCE_SERVER_2_CLIENT_ID" { } output "CLIENT_1_CLIENT_SECRET" { - value = azuread_application_password.client-1.value + value = azuread_application_password.client-1.value sensitive = true } output "RESOURCE_SERVER_1_CLIENT_SECRET" { - value = azuread_application_password.resource-server-1.value + value = azuread_application_password.resource-server-1.value sensitive = true } output "user_password" { - value = azuread_user.newuser.password + value = azuread_user.newuser.password sensitive = true } diff --git a/aad/spring-security/terraform/set_identifier_uris.sh b/aad/spring-security/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..a2690713b --- /dev/null +++ b/aad/spring-security/terraform/set_identifier_uris.sh @@ -0,0 +1,9 @@ +RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) + +# set identifier_uris +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + + + diff --git a/aad/spring-security/terraform/setup_env.sh b/aad/spring-security/terraform/setup_env.sh index 9f6e64d6e..c097b228a 100644 --- a/aad/spring-security/terraform/setup_env.sh +++ b/aad/spring-security/terraform/setup_env.sh @@ -11,14 +11,3 @@ echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET - -# set identifier_uris -az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID -az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID - - - - - - - From a6c6dc731f3a0d0bb27019daa2ccc7ec83dcb2fc Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 11 Mar 2022 16:46:37 +0800 Subject: [PATCH 07/38] update scripts to run all samples --- .../oauth2/spring-cloud-gateway/run_all.sh | 9 +++++++ .../run_all.sh | 24 +++++++++++++++++++ .../client-access-resource-server/run_all.sh | 21 ++++++++++++++++ .../run_all.sh | 21 ++++++++++++++++ .../run_all.sh | 24 +++++++++++++++++++ 5 files changed, 99 insertions(+) create mode 100644 aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh create mode 100644 aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh create mode 100644 aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh create mode 100644 aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh index e35eeedab..e546ccced 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -1,5 +1,14 @@ #!/usr/bin/env bash +export terraform_path="../../../terraform" + +export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_SECRET) + echo "Running apps" mkdir -p target diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh new file mode 100644 index 000000000..82f13916c --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +export terraform_path="../../../terraform" + +export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_SECRET) + + +echo "Running apps" +mkdir -p target +nohup java -jar client/target/*.jar > target/client.log 2>&1 & +nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & +nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & +sleep 10 +echo "All apps started" + +tail -f target/client.log -f target/resource-server-1.log -f target/resource-server-2.log + +# you can kill the process with port +# kill -9 $(lsof -t -i tcp:) \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh new file mode 100644 index 000000000..09a497e11 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +export terraform_path="../../../terraform" + +export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) + + +echo "Running apps" +mkdir -p target +nohup java -jar client/target/*.jar > target/client.log 2>&1 & +nohup java -jar resource-server/target/*.jar > target/resource-server-1.log 2>&1 & +sleep 10 +echo "All apps started" + +tail -f target/client.log -f target/resource-server.log + +# you can kill the process with port +# kill -9 $(lsof -t -i tcp:) \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh new file mode 100644 index 000000000..09a497e11 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +export terraform_path="../../../terraform" + +export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) + + +echo "Running apps" +mkdir -p target +nohup java -jar client/target/*.jar > target/client.log 2>&1 & +nohup java -jar resource-server/target/*.jar > target/resource-server-1.log 2>&1 & +sleep 10 +echo "All apps started" + +tail -f target/client.log -f target/resource-server.log + +# you can kill the process with port +# kill -9 $(lsof -t -i tcp:) \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh new file mode 100644 index 000000000..82f13916c --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +export terraform_path="../../../terraform" + +export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_SECRET) + + +echo "Running apps" +mkdir -p target +nohup java -jar client/target/*.jar > target/client.log 2>&1 & +nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & +nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & +sleep 10 +echo "All apps started" + +tail -f target/client.log -f target/resource-server-1.log -f target/resource-server-2.log + +# you can kill the process with port +# kill -9 $(lsof -t -i tcp:) \ No newline at end of file From b56f7261b1c55261ae80512469f51b45249f37ca Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Tue, 15 Mar 2022 10:45:39 +0800 Subject: [PATCH 08/38] update terraform scripts for resource filter --- .../terraform/main.tf | 124 ++++++++++++++++++ .../terraform/outputs.tf | 16 +++ .../terraform/set_identifier_uris.sh | 7 + .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 10 ++ .../terraform/main.tf | 41 +++--- .../terraform/outputs.tf | 19 ++- .../terraform/setup_env.sh | 12 ++ .../terraform/variables.tf | 17 --- .../oauth2/spring-cloud-gateway/run_all.sh | 2 +- aad/spring-security/terraform/README.md | 10 ++ aad/spring-security/terraform/outputs.tf | 23 +--- 12 files changed, 220 insertions(+), 61 deletions(-) create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.ps1 create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf create mode 100644 aad/spring-security/terraform/README.md diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf new file mode 100644 index 000000000..a12de279e --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -0,0 +1,124 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +data "azuread_client_config" "current" {} + +resource "random_uuid" "role-Admin" { +} + +resource "random_uuid" "role-User" { +} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure an app +resource "azuread_application" "aadresourceserverbyfilterstateless" { + display_name = "aad-resource-server-by-filter-stateless" + + owners = [data.azuread_client_config.current.object_id] + sign_in_audience = "AzureADMultipleOrgs" + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All + type = "Role" + } + + resource_access { + id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite + type = "Scope" + } + + resource_access { + id = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All + type = "Scope" + } + } + + single_page_application { + redirect_uris = ["http://localhost:8080/"] + } + + app_role { + allowed_member_types = ["User"] + description = "Full admin access" + display_name = "Admin" + enabled = true + id = random_uuid.role-Admin.result + value = "Admin" + } + + app_role { + allowed_member_types = ["User"] + description = "Normal user access" + display_name = "User" + enabled = true + id = random_uuid.role-User.result + value = "User" + } + + web { + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + +resource "azuread_service_principal" "aadresourceserverbyfilterstateless" { + application_id = azuread_application.aadresourceserverbyfilterstateless.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +# Retrieve domain information +data "azuread_domains" "current" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "aadresourceserverbyfilterstateless@${data.azuread_domains.current.domains.0.domain_name}" + display_name = "aadresourceserverbyfilterstateless" + password = "Azure123456@" +} + +resource "azuread_app_role_assignment" "admin" { + app_role_id = random_uuid.role-Admin.result + principal_object_id = azuread_user.user.object_id + resource_object_id = azuread_service_principal.aadresourceserverbyfilterstateless.object_id +} + +resource "azuread_app_role_assignment" "user" { + app_role_id = random_uuid.role-User.result + principal_object_id = azuread_user.user.object_id + resource_object_id = azuread_service_principal.aadresourceserverbyfilterstateless.object_id +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.aadresourceserverbyfilterstateless.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf new file mode 100644 index 000000000..183a98ec8 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf @@ -0,0 +1,16 @@ +output "AZURE_TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "AZURE_CLIENT_ID" { + value = azuread_application.aadresourceserverbyfilterstateless.application_id +} + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..390f8d5b6 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh @@ -0,0 +1,7 @@ +AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID) + +# set identifier_uris +az ad app update --id $AZURE_CLIENT_ID --identifier-uris api://$AZURE_CLIENT_ID + + + diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.ps1 new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh new file mode 100644 index 000000000..34a42416b --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh @@ -0,0 +1,10 @@ +export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo AZURE_CLIENT_ID=${AZURE_CLIENT_ID} +echo AZURE_TENANT_ID=${AZURE_TENANT_ID} +echo "------------Created new user------------" +echo USER_NAME=${USER_NAME} +echo USER_PASSWORD=${USER_PASSWORD} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index 5d6c5b964..7d9bfb501 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -7,18 +7,15 @@ terraform { } } - data "azuread_client_config" "current" {} - # Configure the Azure Active Directory Provider provider "azuread" { - tenant_id = "308df08a-1332-4a15-bb06-2ad7e8b71bcf" } # Configure an app -resource "azuread_application" "gzh-app" { - display_name = "gzh-app" +resource "azuread_application" "aadresourceserverbyfilter" { + display_name = "aad-resource-server-by-filter" owners = [data.azuread_client_config.current.object_id] sign_in_audience = "AzureADMultipleOrgs" @@ -51,7 +48,7 @@ resource "azuread_application" "gzh-app" { } } - single_page_application{ + single_page_application { redirect_uris = ["http://localhost:8080/"] } @@ -63,29 +60,35 @@ resource "azuread_application" "gzh-app" { } } -resource "azuread_application_password" "example" { - application_object_id = azuread_application.gzh-app.object_id +resource "azuread_service_principal" "aadresourceserverbyfilter" { + application_id = azuread_application.aadresourceserverbyfilter.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] } +resource "azuread_application_password" "aadresourceserverbyfilter" { + application_object_id = azuread_application.aadresourceserverbyfilter.object_id +} # Retrieve domain information -data "azuread_domains" "example" { +data "azuread_domains" "current" { only_initial = true } -data "azuread_group" "group1" { - display_name = "group1" - security_enabled = true +# Create a user +resource "azuread_user" "user" { + user_principal_name = "aadresourceserverbyfilter@${data.azuread_domains.current.domains.0.domain_name}" + display_name = "aadresourceserverbyfilter" + password = "Azure123456@" } -# Create a user -resource "azuread_user" "example" { - user_principal_name = "ExampleUser@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "Example User" - password = "Gzh123456@" +resource "azuread_group" "group1" { + display_name = "group1" + owners = [data.azuread_client_config.current.object_id] + security_enabled = true } resource "azuread_group_member" "group1" { - group_object_id = data.azuread_group.group1.id - member_object_id = azuread_user.example.id + group_object_id = azuread_group.group1.id + member_object_id = azuread_user.user.id } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf index 5f9b14737..e43bb8e31 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf @@ -1,14 +1,21 @@ +output "AZURE_CLIENT_ID" { + value = azuread_application.aadresourceserverbyfilter.application_id +} -output "sp-password" { - value = azuread_application_password.example +output "AZURE_CLIENT_SECRET" { + value = azuread_application_password.aadresourceserverbyfilter.value sensitive = true } +output "AZURE_TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} -output "output-user" { - value = azuread_user.example.user_principal_name +output "USER_NAME" { + value = azuread_user.user.user_principal_name } -output "clientid" { - value = azuread_application.gzh-app.application_id +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true } \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh index e69de29bb..beceaae8f 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh @@ -0,0 +1,12 @@ +export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) +export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo AZURE_CLIENT_ID=${AZURE_CLIENT_ID} +echo AZURE_TENANT_ID=${AZURE_TENANT_ID} +echo AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} +echo "------------Created new user------------" +echo USER_NAME=${USER_NAME} +echo USER_PASSWORD=${USER_PASSWORD} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf deleted file mode 100644 index 6fe3d961b..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/variables.tf +++ /dev/null @@ -1,17 +0,0 @@ -variable "application_name" { - type = string - description = "The name of your application." - default = "keyvault" -} - -variable "location" { - type = string - description = "The Azure region where all resources in this example should be created." - default = "eastus" -} - -variable "sample_tag_value" { - type = string - description = "The value of spring-cloud-azure-sample tag." - default = "true" -} diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh index e546ccced..936d40622 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -export terraform_path="../../../terraform" +export terraform_path="../../../../terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) diff --git a/aad/spring-security/terraform/README.md b/aad/spring-security/terraform/README.md new file mode 100644 index 000000000..a8c7f4f79 --- /dev/null +++ b/aad/spring-security/terraform/README.md @@ -0,0 +1,10 @@ +# Spring Boot application with Azure Active Directory + +``` +az account tenant list +``` + +Make sure you are using the right tenant with sufficient privileges. +``` +az login --tenant [your-tenant] --allow-no-subscriptions +``` \ No newline at end of file diff --git a/aad/spring-security/terraform/outputs.tf b/aad/spring-security/terraform/outputs.tf index 30c75f5df..4bd97708f 100644 --- a/aad/spring-security/terraform/outputs.tf +++ b/aad/spring-security/terraform/outputs.tf @@ -1,16 +1,3 @@ - - - -#CLIENT-1-CLIENT-ID -#CLIENT-1-CLIENT-SECRET -#RESOURCE-SERVER-1-CLIENT-ID -#RESOURCE-SERVER-1-CLIENT-SECRET -#RESOURCE-SERVER-2-CLIENT-ID -#TENANT-ID -#user.email -#user.password - - output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id } @@ -37,11 +24,11 @@ output "RESOURCE_SERVER_1_CLIENT_SECRET" { sensitive = true } -output "user_password" { +output "USER_NAME" { + value = azuread_user.newuser.user_principal_name +} + +output "USER_PASSWORD" { value = azuread_user.newuser.password sensitive = true } - -output "user_principal_name" { - value = azuread_user.newuser.user_principal_name -} \ No newline at end of file From 49febc872cc304c74033208c42d5a9be0254eb9a Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Tue, 15 Mar 2022 10:48:06 +0800 Subject: [PATCH 09/38] update terraform scripts for aad-resource-server --- .../aad-resource-server/terraform/README.md | 9 ++ .../aad-resource-server/terraform/main.tf | 91 +++++++++++++++++++ .../aad-resource-server/terraform/outputs.tf | 16 ++++ .../terraform/set_identifier_uris.sh | 4 + .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 8 ++ 6 files changed, 128 insertions(+) create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.ps1 create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md new file mode 100644 index 000000000..d1b9f7d5d --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md @@ -0,0 +1,9 @@ +# Spring Boot application with Azure Active Directory + +``` +az account tenant list +``` + +``` +az login --tenant [your-tenant] --allow-no-subscriptions +``` \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf new file mode 100644 index 000000000..9c36315ab --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf @@ -0,0 +1,91 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +resource "random_uuid" "webapiB" { +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure webapiB +resource "azuread_application" "webapiB" { + display_name = "webapiB" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "WebApiB.ExampleScope" + admin_consent_display_name = "WebApiB.ExampleScope" + enabled = true + id = random_uuid.webapiB.result + type = "User" + value = "WebApiB.ExampleScope" + } + + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + +} + + +resource "azuread_service_principal" "webapiB" { + application_id = azuread_application.webapiB.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_application_password" "webapiB" { + application_object_id = azuread_application.webapiB.object_id +} + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "newuser" { + user_principal_name = "aadresourceserver@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "aadresourceserver" + password = "Ms@123456" +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.webapiB.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf new file mode 100644 index 000000000..74141b34c --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf @@ -0,0 +1,16 @@ +output "AZURE_TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "AZURE_CLIENT_ID" { + value = azuread_application.webapiB.application_id +} + +output "USER_PASSWORD" { + value = azuread_user.newuser.password + sensitive = true +} + +output "USER_NAME" { + value = azuread_user.newuser.user_principal_name +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..e35d55b52 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh @@ -0,0 +1,4 @@ +AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID) + +# set identifier_uris +az ad app update --id $AZURE_CLIENT_ID --identifier-uris api://$AZURE_CLIENT_ID diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.ps1 new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh new file mode 100644 index 000000000..8fdfeae93 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh @@ -0,0 +1,8 @@ +export AZURE_TENANT_ID=$(terraform output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID) +export APP_ID_URI=api://$AZURE_CLIENT_ID + +echo AZURE_TENANT_ID=$AZURE_TENANT_ID +echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID +echo APP_ID_URI=$APP_ID_URI + From 70e8165d1e6e922059cd35d0a5fdd70bac4ccd55 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Tue, 15 Mar 2022 19:09:11 +0800 Subject: [PATCH 10/38] update scripts --- .../src/main/resources/application.yml | 4 +- .../src/main/resources/application.yml | 4 +- .../aad-resource-server/terraform/outputs.tf | 2 +- .../terraform/setup_env.sh | 8 +- .../terraform/README.md | 9 + .../terraform/main.tf | 201 ++++++++++++++++++ .../terraform/outputs.tf | 47 ++++ .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 13 ++ .../aad-web-application/terraform/README.md | 10 + .../aad-web-application/terraform/main.tf | 76 +++++++ .../aad-web-application/terraform/outputs.tf | 21 ++ .../terraform/set_identifier_uris.sh | 9 + .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 13 ++ .../terraform/variables.tf | 17 ++ aad/spring-security/terraform/main.tf | 2 +- aad/spring-security/terraform/outputs.tf | 4 +- 18 files changed, 428 insertions(+), 12 deletions(-) create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.ps1 create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.ps1 create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/resources/application.yml index 46b2b6e9b..5faad9bad 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/resources/application.yml +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/resources/application.yml @@ -15,8 +15,8 @@ spring: active-directory: enabled: true credential: - client-id: ${AZURE_CLIENT_ID} - client-secret: ${AZURE_CLIENT_SECRET} + client-id: ${WEB_API_A_CLIENT_ID} + client-secret: ${WEB_API_A_CLIENT_SECRET} profile: tenant-id: ${AZURE_TENANT_ID} app-id-uri: ${WEB_API_A_APP_ID_URL} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/resources/application.yml index ba5e36ad7..02741f509 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/resources/application.yml +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/resources/application.yml @@ -18,8 +18,8 @@ spring: active-directory: enabled: true credential: - client-id: ${AZURE_CLIENT_ID} + client-id: ${WEB_API_B_CLIENT_ID} profile: tenant-id: ${AZURE_TENANT_ID} - app-id-uri: ${APP_ID_URI} + app-id-uri: ${WEB_API_B_APP_ID_URI} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf index 74141b34c..e9f7e6a9b 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf @@ -2,7 +2,7 @@ output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id } -output "AZURE_CLIENT_ID" { +output "WEB_API_B_CLIENT_ID" { value = azuread_application.webapiB.application_id } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh index 8fdfeae93..5367d2b09 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh @@ -1,8 +1,8 @@ export AZURE_TENANT_ID=$(terraform output -raw AZURE_TENANT_ID) -export AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID) -export APP_ID_URI=api://$AZURE_CLIENT_ID +export WEB_API_B_CLIENT_ID=$(terraform output -raw WEB_API_B_CLIENT_ID) +export WEB_API_B_APP_ID_URI=api://$WEB_API_B_CLIENT_ID echo AZURE_TENANT_ID=$AZURE_TENANT_ID -echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID -echo APP_ID_URI=$APP_ID_URI +echo WEB_API_B_CLIENT_ID=$WEB_API_B_CLIENT_ID +echo WEB_API_B_APP_ID_URI=$WEB_API_B_APP_ID_URI diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md new file mode 100644 index 000000000..d1b9f7d5d --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md @@ -0,0 +1,9 @@ +# Spring Boot application with Azure Active Directory + +``` +az account tenant list +``` + +``` +az login --tenant [your-tenant] --allow-no-subscriptions +``` \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf new file mode 100644 index 000000000..6237a382c --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -0,0 +1,201 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +resource "random_uuid" "resource-server-1-scope-1" { +} + +resource "random_uuid" "resource-server-1-scope-2" { +} + +resource "random_uuid" "resource-server-2-scope-1" { +} + +resource "random_uuid" "resource-server-2-scope-2" { +} + +resource "random_uuid" "resource-server-1-role-1" { +} + +resource "random_uuid" "resource-server-1-role-2" { +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure client-1 +resource "azuread_application" "WebApp2" { + display_name = "WebApp2" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + + +# Configure WebApiC +resource "azuread_application" "WebApiC" { + display_name = "WebApiC" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-1" + admin_consent_display_name = "resource-server-1.scope-1" + enabled = true + id = random_uuid.resource-server-1-scope-1.result + type = "User" + value = "resource-server-1.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-2" + admin_consent_display_name = "resource-server-1.scope-2" + enabled = true + id = random_uuid.resource-server-1-scope-2.result + type = "User" + value = "resource-server-1.scope-2" + } + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-2" + display_name = "resource-server-1-role-2" + enabled = true + id = random_uuid.resource-server-1-role-2.result + value = "resource-server-1-role-2" + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-1" + display_name = "resource-server-1-role-1" + enabled = true + id = random_uuid.resource-server-1-role-1.result + value = "resource-server-1-role-1" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + + # need grant + resource_access { + id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + } +} + +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.resource-server-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id + claim_values = ["resource-server-2.scope-1"] +} + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-1" { + application_id = azuread_application.resource-server-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-2" { + application_id = azuread_application.resource-server-2.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +resource "azuread_application_password" "resource-server-1" { + application_object_id = azuread_application.resource-server-1.object_id +} + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "newuser" { + user_principal_name = "security@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Ms@123456" +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.resource-server-1.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf new file mode 100644 index 000000000..30c75f5df --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf @@ -0,0 +1,47 @@ + + + +#CLIENT-1-CLIENT-ID +#CLIENT-1-CLIENT-SECRET +#RESOURCE-SERVER-1-CLIENT-ID +#RESOURCE-SERVER-1-CLIENT-SECRET +#RESOURCE-SERVER-2-CLIENT-ID +#TENANT-ID +#user.email +#user.password + + +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + +output "RESOURCE_SERVER_1_CLIENT_ID" { + value = azuread_application.resource-server-1.application_id +} + +output "RESOURCE_SERVER_2_CLIENT_ID" { + value = azuread_application.resource-server-2.application_id +} + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + +output "RESOURCE_SERVER_1_CLIENT_SECRET" { + value = azuread_application_password.resource-server-1.value + sensitive = true +} + +output "user_password" { + value = azuread_user.newuser.password + sensitive = true +} + +output "user_principal_name" { + value = azuread_user.newuser.user_principal_name +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.ps1 new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh new file mode 100644 index 000000000..c097b228a --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh @@ -0,0 +1,13 @@ +export TENANT_ID=$(terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md new file mode 100644 index 000000000..a8c7f4f79 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md @@ -0,0 +1,10 @@ +# Spring Boot application with Azure Active Directory + +``` +az account tenant list +``` + +Make sure you are using the right tenant with sufficient privileges. +``` +az login --tenant [your-tenant] --allow-no-subscriptions +``` \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf new file mode 100644 index 000000000..585c7f519 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf @@ -0,0 +1,76 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 2.15.0" + } + } +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure webapp +resource "azuread_application" "webapp" { + display_name = "webapp" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + +# arm: +# on-demand: true +# scopes: https://management.core.windows.net/user_impersonation +# graph: +# scopes: +# - https://graph.microsoft.com/User.Read +# - https://graph.microsoft.com/Directory.Read.All + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + +resource "azuread_service_principal" "webapp" { + application_id = azuread_application.webapp.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "webapp" { + application_object_id = azuread_application.webapp.object_id +} + + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "webapp@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "webapp" + password = "Ms@123456" +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf new file mode 100644 index 000000000..b5e8fb093 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf @@ -0,0 +1,21 @@ +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "AZURE_CLIENT_ID" { + value = azuread_application.webapp.application_id +} + +output "AZURE_CLIENT_SECRET" { + value = azuread_application_password.webapp.value + sensitive = true +} + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..a2690713b --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh @@ -0,0 +1,9 @@ +RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) + +# set identifier_uris +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + + + diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.ps1 new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh new file mode 100644 index 000000000..c097b228a --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh @@ -0,0 +1,13 @@ +export TENANT_ID=$(terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf new file mode 100644 index 000000000..6fe3d961b --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf @@ -0,0 +1,17 @@ +variable "application_name" { + type = string + description = "The name of your application." + default = "keyvault" +} + +variable "location" { + type = string + description = "The Azure region where all resources in this example should be created." + default = "eastus" +} + +variable "sample_tag_value" { + type = string + description = "The value of spring-cloud-azure-sample tag." + default = "true" +} diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index 7baa79e5c..4f114a75e 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -226,7 +226,7 @@ data "azuread_domains" "example" { } # Create a user -resource "azuread_user" "newuser" { +resource "azuread_user" "user" { user_principal_name = "security@${data.azuread_domains.example.domains.0.domain_name}" display_name = "security" password = "Ms@123456" diff --git a/aad/spring-security/terraform/outputs.tf b/aad/spring-security/terraform/outputs.tf index 4bd97708f..31573b191 100644 --- a/aad/spring-security/terraform/outputs.tf +++ b/aad/spring-security/terraform/outputs.tf @@ -25,10 +25,10 @@ output "RESOURCE_SERVER_1_CLIENT_SECRET" { } output "USER_NAME" { - value = azuread_user.newuser.user_principal_name + value = azuread_user.user.user_principal_name } output "USER_PASSWORD" { - value = azuread_user.newuser.password + value = azuread_user.user.password sensitive = true } From fec7f750bc2b480f2500a6a7f28058823950ae06 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Wed, 16 Mar 2022 10:56:57 +0800 Subject: [PATCH 11/38] update terraform scripts --- .../terraform/README.md | 105 +++++++++++ .../terraform/main.tf | 12 +- .../terraform/setup_env.ps1 | 0 .../terraform/README.md | 105 +++++++++++ .../terraform/main.tf | 45 +++-- .../terraform/setup_env.ps1 | 0 .../aad-resource-server/terraform/README.md | 9 - .../aad-resource-server/terraform/main.tf | 17 +- .../aad-resource-server/terraform/outputs.tf | 4 +- .../terraform/set_identifier_uris.sh | 4 +- .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 4 +- .../terraform/README.md | 102 ++++++++++- .../terraform/main.tf | 169 +++++------------- .../terraform/outputs.tf | 44 +---- .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 26 +-- .../aad-web-application/terraform/README.md | 103 ++++++++++- .../aad-web-application/terraform/main.tf | 68 +++++-- .../aad-web-application/terraform/outputs.tf | 12 +- .../terraform/set_identifier_uris.sh | 9 - .../terraform/setup_env.ps1 | 0 .../terraform/setup_env.sh | 24 +-- .../terraform/variables.tf | 17 -- aad/spring-security/terraform/README.md | 103 ++++++++++- aad/spring-security/terraform/main.tf | 12 +- aad/spring-security/terraform/setup_env.ps1 | 0 aad/spring-security/terraform/setup_env.sh | 12 +- 28 files changed, 713 insertions(+), 293 deletions(-) create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.ps1 create mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.ps1 delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.ps1 delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.ps1 delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.ps1 delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf delete mode 100644 aad/spring-security/terraform/setup_env.ps1 diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md new file mode 100644 index 000000000..f22077ff4 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md @@ -0,0 +1,105 @@ +# Spring Boot application with Azure Active Directory + +This guide demonstrates how to provision Azure Resources with terraform. + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# In the specific sample's directory, where contains pom.xml. +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `mvn clean spring-boot:run`. + +```shell +mvn clean spring-boot:run +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index a12de279e..763ee9d83 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "~> 2.15.0" + version = "2.19.0" } random = { source = "hashicorp/random" @@ -15,6 +15,12 @@ terraform { } } +resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" +} + data "azuread_client_config" "current" {} resource "random_uuid" "role-Admin" { @@ -96,8 +102,8 @@ data "azuread_domains" "current" { # Create a user resource "azuread_user" "user" { - user_principal_name = "aadresourceserverbyfilterstateless@${data.azuread_domains.current.domains.0.domain_name}" - display_name = "aadresourceserverbyfilterstateless" + user_principal_name = "aadresourcestateless-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}" + display_name = "aadresourcestateless-${random_string.random.result}" password = "Azure123456@" } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.ps1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md new file mode 100644 index 000000000..f22077ff4 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md @@ -0,0 +1,105 @@ +# Spring Boot application with Azure Active Directory + +This guide demonstrates how to provision Azure Resources with terraform. + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# In the specific sample's directory, where contains pom.xml. +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `mvn clean spring-boot:run`. + +```shell +mvn clean spring-boot:run +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index 7d9bfb501..34d1f2222 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -2,11 +2,22 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "~> 2.15.0" + version = "2.19.0" + } + resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" } } } +resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" +} + data "azuread_client_config" "current" {} # Configure the Azure Active Directory Provider @@ -28,26 +39,12 @@ resource "azuread_application" "aadresourceserverbyfilter" { type = "Role" } - resource_access { - id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite - type = "Scope" - } - resource_access { id = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All type = "Scope" } } - required_resource_access { - resource_app_id = "c5393580-f805-4401-95e8-94b7a6ef2fc2" # Office 365 Management - - resource_access { - id = "594c1fb6-4f81-4475-ae41-0c394909246c" # ActivityFeed.Read - type = "Role" - } - } - single_page_application { redirect_uris = ["http://localhost:8080/"] } @@ -70,6 +67,20 @@ resource "azuread_application_password" "aadresourceserverbyfilter" { application_object_id = azuread_application.aadresourceserverbyfilter.object_id } +data "azuread_application_published_app_ids" "well_known" {} + +resource "azuread_service_principal" "msgraph" { + application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph + use_existing = true +} + + +resource "azuread_service_principal_delegated_permission_grant" "graph" { + service_principal_object_id = azuread_service_principal.aadresourceserverbyfilter.object_id + resource_service_principal_object_id = azuread_service_principal.msgraph.object_id + claim_values = ["Directory.Read.All","User.Read.All"] +} + # Retrieve domain information data "azuread_domains" "current" { only_initial = true @@ -77,8 +88,8 @@ data "azuread_domains" "current" { # Create a user resource "azuread_user" "user" { - user_principal_name = "aadresourceserverbyfilter@${data.azuread_domains.current.domains.0.domain_name}" - display_name = "aadresourceserverbyfilter" + user_principal_name = "aadresourceserverbyfilter-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}" + display_name = "aadresourceserverbyfilter-${random_string.random.result}" password = "Azure123456@" } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.ps1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md deleted file mode 100644 index d1b9f7d5d..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Spring Boot application with Azure Active Directory - -``` -az account tenant list -``` - -``` -az login --tenant [your-tenant] --allow-no-subscriptions -``` \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf index 9c36315ab..4017ea254 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "~> 2.15.0" + version = "2.19.0" } random = { source = "hashicorp/random" @@ -18,6 +18,12 @@ terraform { resource "random_uuid" "webapiB" { } +resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" +} + data "azuread_client_config" "current" {} # Configure the Azure Active Directory Provider @@ -54,7 +60,6 @@ resource "azuread_application" "webapiB" { type = "Scope" } } - } @@ -74,10 +79,10 @@ data "azuread_domains" "example" { } # Create a user -resource "azuread_user" "newuser" { - user_principal_name = "aadresourceserver@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "aadresourceserver" - password = "Ms@123456" +resource "azuread_user" "user" { + user_principal_name = "aadresourceserver-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "aadresourceserver-${random_string.random.result}" + password = "Azure123456@" } resource "null_resource" "set_env" { diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf index e9f7e6a9b..96fc30b6e 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf @@ -7,10 +7,10 @@ output "WEB_API_B_CLIENT_ID" { } output "USER_PASSWORD" { - value = azuread_user.newuser.password + value = azuread_user.user.password sensitive = true } output "USER_NAME" { - value = azuread_user.newuser.user_principal_name + value = azuread_user.user.user_principal_name } \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh index e35d55b52..41b2f19d7 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh @@ -1,4 +1,4 @@ -AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID) +WEB_API_B_CLIENT_ID=$(terraform output -raw WEB_API_B_CLIENT_ID) # set identifier_uris -az ad app update --id $AZURE_CLIENT_ID --identifier-uris api://$AZURE_CLIENT_ID +az ad app update --id $WEB_API_B_CLIENT_ID --identifier-uris api://$WEB_API_B_CLIENT_ID diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.ps1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh index 5367d2b09..594388640 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh @@ -1,5 +1,5 @@ -export AZURE_TENANT_ID=$(terraform output -raw AZURE_TENANT_ID) -export WEB_API_B_CLIENT_ID=$(terraform output -raw WEB_API_B_CLIENT_ID) +export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) +export WEB_API_B_CLIENT_ID=$(terraform -chdir=./terraform output -raw WEB_API_B_CLIENT_ID) export WEB_API_B_APP_ID_URI=api://$WEB_API_B_CLIENT_ID echo AZURE_TENANT_ID=$AZURE_TENANT_ID diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md index d1b9f7d5d..88a451ce4 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md @@ -1,9 +1,105 @@ # Spring Boot application with Azure Active Directory +This guide demonstrates how to provision Azure Resources with terraform. + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions ``` -az account tenant list + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] ``` +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# In the root directory of the sample +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `mvn clean spring-boot:run`. + +```shell +mvn clean spring-boot:run +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve ``` -az login --tenant [your-tenant] --allow-no-subscriptions -``` \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf index 6237a382c..056a9cc09 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -2,35 +2,19 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "~> 2.15.0" + version = "2.19.0" } random = { source = "hashicorp/random" version = "3.1.0" } - null = { - source = "hashicorp/null" - version = "3.1.0" - } } } -resource "random_uuid" "resource-server-1-scope-1" { -} - -resource "random_uuid" "resource-server-1-scope-2" { -} - -resource "random_uuid" "resource-server-2-scope-1" { -} - -resource "random_uuid" "resource-server-2-scope-2" { -} - -resource "random_uuid" "resource-server-1-role-1" { -} - -resource "random_uuid" "resource-server-1-role-2" { +resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" } data "azuread_client_config" "current" {} @@ -39,9 +23,9 @@ data "azuread_client_config" "current" {} provider "azuread" { } -# Configure client-1 -resource "azuread_application" "WebApp2" { - display_name = "WebApp2" +# Configure webapp_resourceserver +resource "azuread_application" "webapp_resourceserver" { + display_name = "webapp_resourceserver" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -58,124 +42,65 @@ resource "azuread_application" "WebApp2" { id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read type = "Scope" } - } - - web { - redirect_uris = ["http://localhost:8080/login/oauth2/code/"] - - implicit_grant { - access_token_issuance_enabled = true - id_token_issuance_enabled = true - } - } -} - - - -# Configure WebApiC -resource "azuread_application" "WebApiC" { - display_name = "WebApiC" - - owners = [data.azuread_client_config.current.object_id] - # single tenant - sign_in_audience = "AzureADMyOrg" - - api { - requested_access_token_version = 2 - - oauth2_permission_scope { - admin_consent_description = "resource-server-1.scope-1" - admin_consent_display_name = "resource-server-1.scope-1" - enabled = true - id = random_uuid.resource-server-1-scope-1.result - type = "User" - value = "resource-server-1.scope-1" - } - - oauth2_permission_scope { - admin_consent_description = "resource-server-1.scope-2" - admin_consent_display_name = "resource-server-1.scope-2" - enabled = true - id = random_uuid.resource-server-1-scope-2.result - type = "User" - value = "resource-server-1.scope-2" - } - } - - app_role { - allowed_member_types = ["User"] - description = "resource-server-1-role-2" - display_name = "resource-server-1-role-2" - enabled = true - id = random_uuid.resource-server-1-role-2.result - value = "resource-server-1-role-2" - } - - app_role { - allowed_member_types = ["User"] - description = "resource-server-1-role-1" - display_name = "resource-server-1-role-1" - enabled = true - id = random_uuid.resource-server-1-role-1.result - value = "resource-server-1-role-1" - } - - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + id = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All type = "Scope" } } required_resource_access { - resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013" # Azure Service Management - # need grant resource_access { - id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 + id = "41094075-9dad-400e-a0bd-54e686782033" # user_impersonation type = "Scope" } + } web { redirect_uris = ["http://localhost:8080/login/oauth2/code/"] - } -} -resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { - service_principal_object_id = azuread_service_principal.resource-server-1.object_id - resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id - claim_values = ["resource-server-2.scope-1"] + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } } -resource "azuread_service_principal" "client-1" { - application_id = azuread_application.client-1.application_id +resource "azuread_service_principal" "webapp_resourceserver" { + application_id = azuread_application.webapp_resourceserver.application_id app_role_assignment_required = false owners = [data.azuread_client_config.current.object_id] } -resource "azuread_service_principal" "resource-server-1" { - application_id = azuread_application.resource-server-1.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] +resource "azuread_application_password" "webapp_resourceserver" { + application_object_id = azuread_application.webapp_resourceserver.object_id } -resource "azuread_service_principal" "resource-server-2" { - application_id = azuread_application.resource-server-2.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] -} +data "azuread_application_published_app_ids" "well_known" {} +resource "azuread_service_principal" "msgraph" { + application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph + use_existing = true +} -resource "azuread_application_password" "client-1" { - application_object_id = azuread_application.client-1.object_id +resource "azuread_service_principal" "management" { + application_id = data.azuread_application_published_app_ids.well_known.result.AzureServiceManagement + use_existing = true } +resource "azuread_service_principal_delegated_permission_grant" "graph" { + service_principal_object_id = azuread_service_principal.webapp_resourceserver.object_id + resource_service_principal_object_id = azuread_service_principal.msgraph.object_id + claim_values = ["Directory.Read.All","User.Read"] +} -resource "azuread_application_password" "resource-server-1" { - application_object_id = azuread_application.resource-server-1.object_id +resource "azuread_service_principal_delegated_permission_grant" "management" { + service_principal_object_id = azuread_service_principal.webapp_resourceserver.object_id + resource_service_principal_object_id = azuread_service_principal.management.object_id + claim_values = ["user_impersonation"] } # Retrieve domain information @@ -184,18 +109,8 @@ data "azuread_domains" "example" { } # Create a user -resource "azuread_user" "newuser" { - user_principal_name = "security@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "security" - password = "Ms@123456" +resource "azuread_user" "user" { + user_principal_name = "webapp_resourceserver-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "webapp_resourceserver-${random_string.random.result}" + password = "Azure123456@" } - -resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.resource-server-1.application_id - } - - provisioner "local-exec" { - command = "/bin/bash set_identifier_uris.sh" - } -} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf index 30c75f5df..47fd034a7 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf @@ -1,47 +1,21 @@ - - - -#CLIENT-1-CLIENT-ID -#CLIENT-1-CLIENT-SECRET -#RESOURCE-SERVER-1-CLIENT-ID -#RESOURCE-SERVER-1-CLIENT-SECRET -#RESOURCE-SERVER-2-CLIENT-ID -#TENANT-ID -#user.email -#user.password - - -output "TENANT_ID" { +output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id } -output "CLIENT_1_CLIENT_ID" { - value = azuread_application.client-1.application_id -} - -output "RESOURCE_SERVER_1_CLIENT_ID" { - value = azuread_application.resource-server-1.application_id -} - -output "RESOURCE_SERVER_2_CLIENT_ID" { - value = azuread_application.resource-server-2.application_id -} - -output "CLIENT_1_CLIENT_SECRET" { - value = azuread_application_password.client-1.value - sensitive = true +output "AZURE_CLIENT_ID" { + value = azuread_application.webapp_resourceserver.application_id } -output "RESOURCE_SERVER_1_CLIENT_SECRET" { - value = azuread_application_password.resource-server-1.value +output "AZURE_CLIENT_SECRET" { + value = azuread_application_password.webapp_resourceserver.value sensitive = true } -output "user_password" { - value = azuread_user.newuser.password +output "USER_PASSWORD" { + value = azuread_user.user.password sensitive = true } -output "user_principal_name" { - value = azuread_user.newuser.user_principal_name +output "USER_PRINCIPAL_NAME" { + value = azuread_user.user.user_principal_name } \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.ps1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh index c097b228a..f13b9f9c4 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh @@ -1,13 +1,15 @@ -export TENANT_ID=$(terraform output -raw TENANT_ID) -export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) -export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) -export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) -export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) +export AZURE_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_SECRET) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) +export USER_PRINCIPAL_NAME=$(terraform -chdir=./terraform output -raw USER_PRINCIPAL_NAME) +export WEB_API_C_APP_ID_URL=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) -echo TENANT_ID=$TENANT_ID -echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID -echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID -echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID -echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET -echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo AZURE_TENANT_ID=$AZURE_TENANT_ID +echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID +echo AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET +echo WEB_API_C_APP_ID_URL=$WEB_API_C_APP_ID_URL +echo "--------created user--------" + +echo USER_PRINCIPAL_NAME=$USER_PRINCIPAL_NAME +echo USER_PASSWORD=$USER_PASSWORD \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md index a8c7f4f79..f22077ff4 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md @@ -1,10 +1,105 @@ # Spring Boot application with Azure Active Directory +This guide demonstrates how to provision Azure Resources with terraform. + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions ``` -az account tenant list + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] ``` -Make sure you are using the right tenant with sufficient privileges. +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# In the specific sample's directory, where contains pom.xml. +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `mvn clean spring-boot:run`. + +```shell +mvn clean spring-boot:run +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve ``` -az login --tenant [your-tenant] --allow-no-subscriptions -``` \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf index 585c7f519..3f2d273a7 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf @@ -2,11 +2,21 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "~> 2.15.0" + version = "2.19.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" } } } +resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" +} + data "azuread_client_config" "current" {} # Configure the Azure Active Directory Provider @@ -25,13 +35,6 @@ resource "azuread_application" "webapp" { requested_access_token_version = 2 } -# arm: -# on-demand: true -# scopes: https://management.core.windows.net/user_impersonation -# graph: -# scopes: -# - https://graph.microsoft.com/User.Read -# - https://graph.microsoft.com/Directory.Read.All required_resource_access { resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph @@ -39,6 +42,21 @@ resource "azuread_application" "webapp" { id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read type = "Scope" } + + resource_access { + id = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All + type = "Scope" + } + } + + required_resource_access { + resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013" # Azure Service Management + + resource_access { + id = "41094075-9dad-400e-a0bd-54e686782033" # user_impersonation + type = "Scope" + } + } web { @@ -57,11 +75,33 @@ resource "azuread_service_principal" "webapp" { owners = [data.azuread_client_config.current.object_id] } - -resource "azuread_application_password" "webapp" { +resource "azuread_application_password" "webapp_resourceserver" { application_object_id = azuread_application.webapp.object_id } +data "azuread_application_published_app_ids" "well_known" {} + +resource "azuread_service_principal" "msgraph" { + application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph + use_existing = true +} + +resource "azuread_service_principal" "management" { + application_id = data.azuread_application_published_app_ids.well_known.result.AzureServiceManagement + use_existing = true +} + +resource "azuread_service_principal_delegated_permission_grant" "graph" { + service_principal_object_id = azuread_service_principal.webapp.object_id + resource_service_principal_object_id = azuread_service_principal.msgraph.object_id + claim_values = ["Directory.Read.All","User.Read"] +} + +resource "azuread_service_principal_delegated_permission_grant" "management" { + service_principal_object_id = azuread_service_principal.webapp.object_id + resource_service_principal_object_id = azuread_service_principal.management.object_id + claim_values = ["user_impersonation"] +} # Retrieve domain information data "azuread_domains" "example" { @@ -70,7 +110,7 @@ data "azuread_domains" "example" { # Create a user resource "azuread_user" "user" { - user_principal_name = "webapp@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "webapp" - password = "Ms@123456" -} \ No newline at end of file + user_principal_name = "webapp-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "webapp-${random_string.random.result}" + password = "Azure123456@" +} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf index b5e8fb093..cbbacb380 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf @@ -1,4 +1,4 @@ -output "TENANT_ID" { +output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id } @@ -7,15 +7,15 @@ output "AZURE_CLIENT_ID" { } output "AZURE_CLIENT_SECRET" { - value = azuread_application_password.webapp.value + value = azuread_application_password.webapp_resourceserver.value sensitive = true } -output "USER_NAME" { - value = azuread_user.user.user_principal_name -} - output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true } + +output "USER_PRINCIPAL_NAME" { + value = azuread_user.user.user_principal_name +} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh deleted file mode 100644 index a2690713b..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/set_identifier_uris.sh +++ /dev/null @@ -1,9 +0,0 @@ -RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) - -# set identifier_uris -az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID -az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID - - - diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.ps1 b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.ps1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh index c097b228a..48fa4140c 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh @@ -1,13 +1,13 @@ -export TENANT_ID=$(terraform output -raw TENANT_ID) -export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) -export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) -export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) -export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) +export AZURE_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_SECRET) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) +export USER_PRINCIPAL_NAME=$(terraform -chdir=./terraform output -raw USER_PRINCIPAL_NAME) -echo TENANT_ID=$TENANT_ID -echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID -echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID -echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID -echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET -echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo AZURE_TENANT_ID=$AZURE_TENANT_ID +echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID +echo AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET +echo "--------created user--------" + +echo USER_PRINCIPAL_NAME=$USER_PRINCIPAL_NAME +echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf deleted file mode 100644 index 6fe3d961b..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/variables.tf +++ /dev/null @@ -1,17 +0,0 @@ -variable "application_name" { - type = string - description = "The name of your application." - default = "keyvault" -} - -variable "location" { - type = string - description = "The Azure region where all resources in this example should be created." - default = "eastus" -} - -variable "sample_tag_value" { - type = string - description = "The value of spring-cloud-azure-sample tag." - default = "true" -} diff --git a/aad/spring-security/terraform/README.md b/aad/spring-security/terraform/README.md index a8c7f4f79..f22077ff4 100644 --- a/aad/spring-security/terraform/README.md +++ b/aad/spring-security/terraform/README.md @@ -1,10 +1,105 @@ # Spring Boot application with Azure Active Directory +This guide demonstrates how to provision Azure Resources with terraform. + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions ``` -az account tenant list + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] ``` -Make sure you are using the right tenant with sufficient privileges. +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# In the specific sample's directory, where contains pom.xml. +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `mvn clean spring-boot:run`. + +```shell +mvn clean spring-boot:run +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve ``` -az login --tenant [your-tenant] --allow-no-subscriptions -``` \ No newline at end of file diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index 4f114a75e..7c23c2463 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "~> 2.15.0" + version = "2.19.0" } random = { source = "hashicorp/random" @@ -15,6 +15,12 @@ terraform { } } +resource "random_string" "random" { + length = 5 + special = true + override_special = "/@£$" +} + resource "random_uuid" "resource-server-1-scope-1" { } @@ -227,9 +233,9 @@ data "azuread_domains" "example" { # Create a user resource "azuread_user" "user" { - user_principal_name = "security@${data.azuread_domains.example.domains.0.domain_name}" + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" display_name = "security" - password = "Ms@123456" + password = "Azure123456@" } resource "null_resource" "set_env" { diff --git a/aad/spring-security/terraform/setup_env.ps1 b/aad/spring-security/terraform/setup_env.ps1 deleted file mode 100644 index e69de29bb..000000000 diff --git a/aad/spring-security/terraform/setup_env.sh b/aad/spring-security/terraform/setup_env.sh index c097b228a..6d4b3b2a1 100644 --- a/aad/spring-security/terraform/setup_env.sh +++ b/aad/spring-security/terraform/setup_env.sh @@ -1,9 +1,9 @@ -export TENANT_ID=$(terraform output -raw TENANT_ID) -export CLIENT_1_CLIENT_ID=$(terraform output -raw CLIENT_1_CLIENT_ID) -export RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -export RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) -export CLIENT_1_CLIENT_SECRET=$(terraform output -raw CLIENT_1_CLIENT_SECRET) -export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) echo TENANT_ID=$TENANT_ID echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID From 74c3f8f7e4ec96a774c30533e18855a705765f77 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Wed, 16 Mar 2022 14:46:26 +0800 Subject: [PATCH 12/38] update terraform scripts for random provider --- .../terraform/main.tf | 3 +-- .../aad-resource-server-by-filter/terraform/main.tf | 10 ++++------ .../aad-resource-server/terraform/main.tf | 3 +-- .../terraform/main.tf | 3 +-- .../aad-web-application/terraform/main.tf | 3 +-- aad/spring-security/terraform/main.tf | 3 +-- 6 files changed, 9 insertions(+), 16 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 763ee9d83..98bda4cb6 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -17,8 +17,7 @@ terraform { resource "random_string" "random" { length = 5 - special = true - override_special = "/@£$" + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index 34d1f2222..d3d5befbf 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -4,18 +4,16 @@ terraform { source = "hashicorp/azuread" version = "2.19.0" } - resource "random_string" "random" { - length = 5 - special = true - override_special = "/@£$" + random = { + source = "hashicorp/random" + version = "3.1.0" } } } resource "random_string" "random" { length = 5 - special = true - override_special = "/@£$" + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf index 4017ea254..e53337b61 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf @@ -20,8 +20,7 @@ resource "random_uuid" "webapiB" { resource "random_string" "random" { length = 5 - special = true - override_special = "/@£$" + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf index 056a9cc09..97705792f 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -13,8 +13,7 @@ terraform { resource "random_string" "random" { length = 5 - special = true - override_special = "/@£$" + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf index 3f2d273a7..8aecab4fb 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf @@ -13,8 +13,7 @@ terraform { resource "random_string" "random" { length = 5 - special = true - override_special = "/@£$" + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index 7c23c2463..e96b623ca 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -17,8 +17,7 @@ terraform { resource "random_string" "random" { length = 5 - special = true - override_special = "/@£$" + special = false } resource "random_uuid" "resource-server-1-scope-1" { From 66ee4a0159ca361880f6da7034f6e057318985a0 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Wed, 16 Mar 2022 14:56:25 +0800 Subject: [PATCH 13/38] update terraform scripts for resource "random_string" --- .../aad-resource-server-by-filter-stateless/terraform/main.tf | 1 + .../aad-resource-server-by-filter/terraform/main.tf | 1 + .../aad-resource-server/terraform/main.tf | 1 + .../aad-web-application-and-resource-server/terraform/main.tf | 1 + .../aad-web-application/terraform/main.tf | 1 + aad/spring-security/terraform/main.tf | 1 + 6 files changed, 6 insertions(+) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 98bda4cb6..4adb8741b 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -17,6 +17,7 @@ terraform { resource "random_string" "random" { length = 5 + min_lower = 5 special = false } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index d3d5befbf..e63448ee6 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -13,6 +13,7 @@ terraform { resource "random_string" "random" { length = 5 + min_lower = 5 special = false } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf index e53337b61..ae6774f8f 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf @@ -20,6 +20,7 @@ resource "random_uuid" "webapiB" { resource "random_string" "random" { length = 5 + min_lower = 5 special = false } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf index 97705792f..18dd293e9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -13,6 +13,7 @@ terraform { resource "random_string" "random" { length = 5 + min_lower = 5 special = false } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf index 8aecab4fb..ce72a064a 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf @@ -13,6 +13,7 @@ terraform { resource "random_string" "random" { length = 5 + min_lower = 5 special = false } diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index e96b623ca..466e86f08 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -17,6 +17,7 @@ terraform { resource "random_string" "random" { length = 5 + min_lower = 5 special = false } From dd478cf3ee1d51e26a6cbc44791b44121271a395 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Wed, 16 Mar 2022 17:28:40 +0800 Subject: [PATCH 14/38] combine 3 samples within folder aad-web-application-and-resource-server --- .../terraform/main.tf | 2 +- .../terraform/outputs.tf | 6 +- .../terraform/outputs.tf | 15 ++- .../aad-resource-server/terraform/main.tf | 96 ------------------ .../aad-resource-server/terraform/outputs.tf | 16 --- .../terraform/set_identifier_uris.sh | 4 - .../terraform/setup_env.sh | 8 -- .../terraform/outputs.tf | 6 +- .../README.md | 0 .../aad-resource-server-obo/README.md | 0 ...ad-obo-flow-and-client-credential-flow.png | Bin .../docs/image-add-grant-admin-consent.png | Bin .../docs/image-add-permissions.png | Bin .../image-resource-server-obo-add-scope.png | Bin .../image-select-application-permission.png | Bin .../docs/image-select-myapis.png | Bin .../aad-resource-server-obo/pom.xml | 4 +- ...th2ResourceServerOboSampleApplication.java | 0 .../configuration/AadSampleConfiguration.java | 0 .../aad/controller/SampleController.java | 0 .../src/main/resources/application.yml | 0 .../aad-resource-server/README.md | 0 .../docs/image-add-a-scope.png | Bin .../docs/image-add-custom-apis-to-webapp.png | Bin .../docs/image-add-resource-server.png | Bin .../docs/image-creat-secrets-api.png | Bin .../docs/image-expose-api.png | Bin .../aad-resource-server/docs/image-final.png | Bin .../docs/image-granted-permission.png | Bin .../docs/image-protal-manage.png | Bin .../docs/image-register-a-web-api.png | Bin .../docs/image-set-application-id-url.png | Bin .../aad-resource-server/pom.xml | 2 +- ...OAuth2ResourceServerSampleApplication.java | 0 .../sample/aad/controller/HomeController.java | 0 .../src/main/resources/application.yml | 0 .../aad-web-application/README.md | 0 .../docs/image-add-a-platform.png | Bin .../docs/image-add-grant-admin-consent.png | Bin .../docs/image-add-permissions.png | Bin .../docs/image-create-app-secrets.png | Bin .../docs/image-permissions.png | Bin .../docs/image-portal-manage.png | Bin .../docs/image-register-a-web-app.png | Bin .../docs/image-request-api-permissions.png | Bin .../docs/image-secret-value.png | Bin .../docs/image-select-myapis.png | Bin .../aad-web-application/pom.xml | 2 +- .../aad/AadOAuth2WebAppSampleApplication.java | 0 .../sample/aad/config/WebClientConfig.java | 0 .../aad/controller/AuthorityController.java | 0 .../aad/controller/ClientController.java | 0 .../controller/OnDemandClientController.java | 0 .../sample/aad/controller/RoleController.java | 0 .../aad/controller/WebApiController.java | 0 .../spring/sample/aad/utils/JsonMapper.java | 0 .../src/main/resources/application.yml | 0 .../src/main/resources/templates/index.html | 0 .../web-client-access-resource-server/pom.xml | 31 ++++++ .../terraform/README.md | 0 .../terraform/main.tf | 0 .../terraform/outputs.tf | 5 + .../terraform/setup_env.sh | 0 .../run_all.sh | 19 ++-- aad/spring-security/terraform/main.tf | 2 +- aad/spring-security/terraform/setup_env.sh | 6 ++ aad/spring-security/terraform/variables.tf | 17 ---- 67 files changed, 80 insertions(+), 161 deletions(-) delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/README.md (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/docs/image-aad-obo-flow-and-client-credential-flow.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/docs/image-add-grant-admin-consent.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/docs/image-add-permissions.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/docs/image-resource-server-obo-add-scope.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/docs/image-select-application-permission.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/docs/image-select-myapis.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/pom.xml (94%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerOboSampleApplication.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/configuration/AadSampleConfiguration.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/controller/SampleController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server-obo/src/main/resources/application.yml (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/README.md (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-add-a-scope.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-add-custom-apis-to-webapp.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-add-resource-server.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-creat-secrets-api.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-expose-api.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-final.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-granted-permission.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-protal-manage.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-register-a-web-api.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/docs/image-set-application-id-url.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/pom.xml (95%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerSampleApplication.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/src/main/java/com/azure/spring/sample/aad/controller/HomeController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-resource-server/src/main/resources/application.yml (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/README.md (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-add-a-platform.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-add-grant-admin-consent.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-add-permissions.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-create-app-secrets.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-permissions.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-portal-manage.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-register-a-web-app.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-request-api-permissions.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-secret-value.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/docs/image-select-myapis.png (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/pom.xml (97%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/AadOAuth2WebAppSampleApplication.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/config/WebClientConfig.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/AuthorityController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/ClientController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/OnDemandClientController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/RoleController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/WebApiController.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/java/com/azure/spring/sample/aad/utils/JsonMapper.java (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/resources/application.yml (100%) rename aad/spring-cloud-azure-starter-active-directory/{ => web-client-access-resource-server}/aad-web-application/src/main/resources/templates/index.html (100%) create mode 100644 aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/pom.xml rename aad/spring-cloud-azure-starter-active-directory/{aad-web-application => web-client-access-resource-server}/terraform/README.md (100%) rename aad/spring-cloud-azure-starter-active-directory/{aad-web-application => web-client-access-resource-server}/terraform/main.tf (100%) rename aad/spring-cloud-azure-starter-active-directory/{aad-web-application => web-client-access-resource-server}/terraform/outputs.tf (61%) rename aad/spring-cloud-azure-starter-active-directory/{aad-web-application => web-client-access-resource-server}/terraform/setup_env.sh (100%) delete mode 100644 aad/spring-security/terraform/variables.tf diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 4adb8741b..55ac04afe 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -127,4 +127,4 @@ resource "null_resource" "set_env" { provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" } -} \ No newline at end of file +} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf index 183a98ec8..55b992d57 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf @@ -1,16 +1,20 @@ output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The Azure tenant id." } output "AZURE_CLIENT_ID" { value = azuread_application.aadresourceserverbyfilterstateless.application_id + description = "The application id." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true -} \ No newline at end of file + description = "The password of the user created by terraform." +} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf index e43bb8e31..a2abe29fc 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf @@ -1,21 +1,26 @@ +output "AZURE_TENANT_ID" { + value = data.azuread_client_config.current.tenant_id + description = "The Azure tenant id." +} + output "AZURE_CLIENT_ID" { value = azuread_application.aadresourceserverbyfilter.application_id + description = "The application id." } output "AZURE_CLIENT_SECRET" { value = azuread_application_password.aadresourceserverbyfilter.value sensitive = true -} - -output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id + description = "A secret string the application uses to prove its identity." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true -} \ No newline at end of file + description = "The password of the user created by terraform." +} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf deleted file mode 100644 index ae6774f8f..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/main.tf +++ /dev/null @@ -1,96 +0,0 @@ -terraform { - required_providers { - azuread = { - source = "hashicorp/azuread" - version = "2.19.0" - } - random = { - source = "hashicorp/random" - version = "3.1.0" - } - null = { - source = "hashicorp/null" - version = "3.1.0" - } - } -} - -resource "random_uuid" "webapiB" { -} - -resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false -} - -data "azuread_client_config" "current" {} - -# Configure the Azure Active Directory Provider -provider "azuread" { -} - -# Configure webapiB -resource "azuread_application" "webapiB" { - display_name = "webapiB" - - owners = [data.azuread_client_config.current.object_id] - # single tenant - sign_in_audience = "AzureADMyOrg" - - api { - requested_access_token_version = 2 - - oauth2_permission_scope { - admin_consent_description = "WebApiB.ExampleScope" - admin_consent_display_name = "WebApiB.ExampleScope" - enabled = true - id = random_uuid.webapiB.result - type = "User" - value = "WebApiB.ExampleScope" - } - - } - - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph - - resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - type = "Scope" - } - } -} - - -resource "azuread_service_principal" "webapiB" { - application_id = azuread_application.webapiB.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] -} - -resource "azuread_application_password" "webapiB" { - application_object_id = azuread_application.webapiB.object_id -} - -# Retrieve domain information -data "azuread_domains" "example" { - only_initial = true -} - -# Create a user -resource "azuread_user" "user" { - user_principal_name = "aadresourceserver-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "aadresourceserver-${random_string.random.result}" - password = "Azure123456@" -} - -resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.webapiB.application_id - } - - provisioner "local-exec" { - command = "/bin/bash set_identifier_uris.sh" - } -} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf deleted file mode 100644 index 96fc30b6e..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/outputs.tf +++ /dev/null @@ -1,16 +0,0 @@ -output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id -} - -output "WEB_API_B_CLIENT_ID" { - value = azuread_application.webapiB.application_id -} - -output "USER_PASSWORD" { - value = azuread_user.user.password - sensitive = true -} - -output "USER_NAME" { - value = azuread_user.user.user_principal_name -} \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh deleted file mode 100644 index 41b2f19d7..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/set_identifier_uris.sh +++ /dev/null @@ -1,4 +0,0 @@ -WEB_API_B_CLIENT_ID=$(terraform output -raw WEB_API_B_CLIENT_ID) - -# set identifier_uris -az ad app update --id $WEB_API_B_CLIENT_ID --identifier-uris api://$WEB_API_B_CLIENT_ID diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh deleted file mode 100644 index 594388640..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/terraform/setup_env.sh +++ /dev/null @@ -1,8 +0,0 @@ -export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) -export WEB_API_B_CLIENT_ID=$(terraform -chdir=./terraform output -raw WEB_API_B_CLIENT_ID) -export WEB_API_B_APP_ID_URI=api://$WEB_API_B_CLIENT_ID - -echo AZURE_TENANT_ID=$AZURE_TENANT_ID -echo WEB_API_B_CLIENT_ID=$WEB_API_B_CLIENT_ID -echo WEB_API_B_APP_ID_URI=$WEB_API_B_APP_ID_URI - diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf index 47fd034a7..925977ece 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf @@ -1,9 +1,11 @@ output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The Azure tenant id." } output "AZURE_CLIENT_ID" { value = azuread_application.webapp_resourceserver.application_id + description = "The application id." } output "AZURE_CLIENT_SECRET" { @@ -14,8 +16,10 @@ output "AZURE_CLIENT_SECRET" { output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } output "USER_PRINCIPAL_NAME" { value = azuread_user.user.user_principal_name -} \ No newline at end of file + description = "The user name of the user created by terraform." +} diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/README.md similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/README.md rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/README.md diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-aad-obo-flow-and-client-credential-flow.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-aad-obo-flow-and-client-credential-flow.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-aad-obo-flow-and-client-credential-flow.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-aad-obo-flow-and-client-credential-flow.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-add-grant-admin-consent.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-add-grant-admin-consent.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-add-grant-admin-consent.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-add-grant-admin-consent.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-add-permissions.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-add-permissions.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-add-permissions.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-add-permissions.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-resource-server-obo-add-scope.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-resource-server-obo-add-scope.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-resource-server-obo-add-scope.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-resource-server-obo-add-scope.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-select-application-permission.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-select-application-permission.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-select-application-permission.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-select-application-permission.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-select-myapis.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-select-myapis.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/docs/image-select-myapis.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/docs/image-select-myapis.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/pom.xml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/pom.xml similarity index 94% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/pom.xml rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/pom.xml index a0db377eb..64ab8359f 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/pom.xml +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/pom.xml @@ -7,14 +7,14 @@ com.azure.spring azure-spring-boot-samples 1.0.0 - ../../../pom.xml + ../../../../pom.xml spring-cloud-azure-starter-active-directory-resource-server-obo 1.0.0 jar - Spring-Cloud-Azure-Starter-Active-Directory Sample: Resource Server with On-Behalf-of Feature + Spring-Cloud-Azure-Starter-Active-Directory Sample: Resource Server with On-Behalf-Of Feature Azure AD Spring Security Integration Spring Boot Resource Server OBO diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerOboSampleApplication.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerOboSampleApplication.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerOboSampleApplication.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerOboSampleApplication.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/configuration/AadSampleConfiguration.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/configuration/AadSampleConfiguration.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/configuration/AadSampleConfiguration.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/configuration/AadSampleConfiguration.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/controller/SampleController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/controller/SampleController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/controller/SampleController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/java/com/azure/spring/sample/aad/controller/SampleController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/resources/application.yml similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo/src/main/resources/application.yml rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server-obo/src/main/resources/application.yml diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/README.md similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/README.md rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/README.md diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-add-a-scope.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-add-a-scope.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-add-a-scope.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-add-a-scope.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-add-custom-apis-to-webapp.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-add-custom-apis-to-webapp.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-add-custom-apis-to-webapp.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-add-custom-apis-to-webapp.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-add-resource-server.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-add-resource-server.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-add-resource-server.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-add-resource-server.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-creat-secrets-api.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-creat-secrets-api.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-creat-secrets-api.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-creat-secrets-api.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-expose-api.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-expose-api.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-expose-api.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-expose-api.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-final.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-final.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-final.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-final.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-granted-permission.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-granted-permission.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-granted-permission.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-granted-permission.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-protal-manage.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-protal-manage.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-protal-manage.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-protal-manage.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-register-a-web-api.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-register-a-web-api.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-register-a-web-api.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-register-a-web-api.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-set-application-id-url.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-set-application-id-url.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/docs/image-set-application-id-url.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/docs/image-set-application-id-url.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/pom.xml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/pom.xml similarity index 95% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/pom.xml rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/pom.xml index 9e6030977..f167acaa1 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/pom.xml +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/pom.xml @@ -7,7 +7,7 @@ com.azure.spring azure-spring-boot-samples 1.0.0 - ../../../pom.xml + ../../../../pom.xml spring-cloud-azure-starter-active-directory-resource-server diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerSampleApplication.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerSampleApplication.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerSampleApplication.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/src/main/java/com/azure/spring/sample/aad/AadOAuth2ResourceServerSampleApplication.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/java/com/azure/spring/sample/aad/controller/HomeController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/src/main/java/com/azure/spring/sample/aad/controller/HomeController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/java/com/azure/spring/sample/aad/controller/HomeController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/src/main/java/com/azure/spring/sample/aad/controller/HomeController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/src/main/resources/application.yml similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-resource-server/src/main/resources/application.yml rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-resource-server/src/main/resources/application.yml diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/README.md similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/README.md rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/README.md diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-add-a-platform.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-add-a-platform.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-add-a-platform.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-add-a-platform.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-add-grant-admin-consent.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-add-grant-admin-consent.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-add-grant-admin-consent.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-add-grant-admin-consent.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-add-permissions.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-add-permissions.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-add-permissions.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-add-permissions.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-create-app-secrets.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-create-app-secrets.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-create-app-secrets.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-create-app-secrets.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-permissions.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-permissions.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-permissions.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-permissions.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-portal-manage.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-portal-manage.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-portal-manage.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-portal-manage.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-register-a-web-app.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-register-a-web-app.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-register-a-web-app.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-register-a-web-app.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-request-api-permissions.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-request-api-permissions.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-request-api-permissions.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-request-api-permissions.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-secret-value.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-secret-value.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-secret-value.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-secret-value.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-select-myapis.png b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-select-myapis.png similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/docs/image-select-myapis.png rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/docs/image-select-myapis.png diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/pom.xml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/pom.xml similarity index 97% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/pom.xml rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/pom.xml index adf00117d..87bdf3c5c 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/pom.xml +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/pom.xml @@ -7,7 +7,7 @@ com.azure.spring azure-spring-boot-samples 1.0.0 - ../../../pom.xml + ../../../../pom.xml spring-cloud-azure-starter-active-directory-webapp diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/AadOAuth2WebAppSampleApplication.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/AadOAuth2WebAppSampleApplication.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/AadOAuth2WebAppSampleApplication.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/AadOAuth2WebAppSampleApplication.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/config/WebClientConfig.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/config/WebClientConfig.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/config/WebClientConfig.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/config/WebClientConfig.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/AuthorityController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/AuthorityController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/AuthorityController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/AuthorityController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/ClientController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/ClientController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/ClientController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/ClientController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/OnDemandClientController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/OnDemandClientController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/OnDemandClientController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/OnDemandClientController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/RoleController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/RoleController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/RoleController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/RoleController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/WebApiController.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/WebApiController.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/WebApiController.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/controller/WebApiController.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/utils/JsonMapper.java b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/utils/JsonMapper.java similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/java/com/azure/spring/sample/aad/utils/JsonMapper.java rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/java/com/azure/spring/sample/aad/utils/JsonMapper.java diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/application.yml similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/resources/application.yml rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/application.yml diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/resources/templates/index.html b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/templates/index.html similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/src/main/resources/templates/index.html rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/templates/index.html diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/pom.xml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/pom.xml new file mode 100644 index 000000000..66cef4a71 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/pom.xml @@ -0,0 +1,31 @@ + + + 4.0.0 + + + com.azure.spring + azure-spring-boot-samples + 1.0.0 + ../../../pom.xml + + + azure-active-directory-sample-on-behalf-of + 1.0.0 + pom + + Azure Active Directory Sample: On-Behalf-Of + + + 11 + 11 + + + + aad-resource-server + aad-resource-server-obo + aad-web-application + + + \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/README.md rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/main.tf rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf similarity index 61% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf index cbbacb380..f9b1ce414 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf @@ -1,21 +1,26 @@ output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The application id." } output "AZURE_CLIENT_ID" { value = azuread_application.webapp.application_id + description = "The application id." } output "AZURE_CLIENT_SECRET" { value = azuread_application_password.webapp_resourceserver.value sensitive = true + description = "A secret string the application uses to prove its identity." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } output "USER_PRINCIPAL_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh similarity index 100% rename from aad/spring-cloud-azure-starter-active-directory/aad-web-application/terraform/setup_env.sh rename to aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh index 82f13916c..a6a8d68be 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -1,5 +1,10 @@ #!/usr/bin/env bash +kill -9 $(lsof -t -i tcp:8080) +kill -9 $(lsof -t -i tcp:8081) +kill -9 $(lsof -t -i tcp:8082) + + export terraform_path="../../../terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) @@ -8,17 +13,17 @@ export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -ra export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_2_CLIENT_ID) export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD -echo "Running apps" +echo "--------Running apps--------" mkdir -p target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & sleep 10 -echo "All apps started" - -tail -f target/client.log -f target/resource-server-1.log -f target/resource-server-2.log - -# you can kill the process with port -# kill -9 $(lsof -t -i tcp:) \ No newline at end of file +echo "All apps started, please check target folder for logs." diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/terraform/main.tf index 466e86f08..7c0b098fd 100644 --- a/aad/spring-security/terraform/main.tf +++ b/aad/spring-security/terraform/main.tf @@ -246,4 +246,4 @@ resource "null_resource" "set_env" { provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" } -} \ No newline at end of file +} diff --git a/aad/spring-security/terraform/setup_env.sh b/aad/spring-security/terraform/setup_env.sh index 6d4b3b2a1..926eb7c26 100644 --- a/aad/spring-security/terraform/setup_env.sh +++ b/aad/spring-security/terraform/setup_env.sh @@ -4,6 +4,8 @@ export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RE export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) echo TENANT_ID=$TENANT_ID echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID @@ -11,3 +13,7 @@ echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD + diff --git a/aad/spring-security/terraform/variables.tf b/aad/spring-security/terraform/variables.tf deleted file mode 100644 index 6fe3d961b..000000000 --- a/aad/spring-security/terraform/variables.tf +++ /dev/null @@ -1,17 +0,0 @@ -variable "application_name" { - type = string - description = "The name of your application." - default = "keyvault" -} - -variable "location" { - type = string - description = "The Azure region where all resources in this example should be created." - default = "eastus" -} - -variable "sample_tag_value" { - type = string - description = "The value of spring-cloud-azure-sample tag." - default = "true" -} From be6355a4af7226e818db7a34c8dcc9e784b54ca1 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Wed, 16 Mar 2022 17:29:09 +0800 Subject: [PATCH 15/38] reformat pom and README.md --- README.md | 88 +++++++++++++++++++++++++++---------------------------- pom.xml | 4 +-- 2 files changed, 44 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index de3fd0937..c32957a4d 100644 --- a/README.md +++ b/README.md @@ -21,54 +21,52 @@ ## All active branches -| Spring Boot Version | Spring Cloud version | Spring Cloud Azure Version | -| --- | --- | --- | -| 2.5.5 | 2021.0.0 | [4.0](https://github.com/Azure/azure-sdk-for-java/tree/feature/azure-spring-cloud-4.0/sdk/spring) | +| Spring Boot Version | Spring Cloud version | Spring Cloud Azure Version | +|----------------------|-----------------------|---------------------------------------------------------------------------------------------------| +| 2.5.5 | 2021.0.0 | [4.0](https://github.com/Azure/azure-sdk-for-java/tree/feature/azure-spring-cloud-4.0/sdk/spring) | ## All samples in this repo -| Azure Service | Spring Cloud Azure Starter Dependency | Sample Project | -|------------------|---------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------| -| AAD | [spring-cloud-azure-starter-active-directory-b2c:4.0.0-beta.4] | [aad-b2c-resource-server](aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server) | -| AAD | [spring-cloud-azure-starter-active-directory-b2c:4.0.0-beta.4] | [aad-b2c-web-application](aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-web-application) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-by-filter-stateless](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-by-filter](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-obo](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server](aad/spring-cloud-azure-starter-active-directory/aad-resource-server) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-web-application](aad/spring-cloud-azure-starter-active-directory/aad-web-application) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-webapp-resource-server](aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server) | -| App Configuration| [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [azure-appconfiguration-conversion-sample-initial](appconfiguration/azure-appconfiguration-conversion-sample-initial) | -| App Configuration| [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-sample](appconfiguration/azure-appconfiguration-sample) | -| App Configuration| [azure-spring-cloud-feature-management:2.2.0] | [feature-management-sample](appconfiguration/feature-management-sample) | -| App Configuration| [azure-spring-cloud-feature-management:2.2.0] | [feature-management-web-sample](appconfiguration/feature-management-web-sample) | -| App Configuration| [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-conversion-sample-complete](appconfiguration/azure-appconfiguration-conversion-sample-complete) | -| Cache | N/A | [azure-spring-cloud-sample-cache](cache/spring-cloud-azure-starter/spring-cloud-azure-sample-cache) | -| Cloud Foundry | N/A | [azure-cloud-foundry-service-sample](cloudfoundry/azure-cloud-foundry-service-sample) | -| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-multi-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-multi-account) | -| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-single-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-single-account) | -| Cosmos DB | [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [spring-cloud-azure-data-cosmos-sample](cosmos/spring-cloud-azure-starter-data-cosmos/spring-cloud-azure-data-cosmos-sample) | -| Cosmos DB | [spring-cloud-azure-starter-cosmos:4.0.0-beta.4] | [spring-cloud-azure-cosmos-sample](cosmos/spring-cloud-azure-starter-cosmos/spring-cloud-azure-cosmos-sample) | -| Event Hubs | N/A | [spring-cloud-azure-sample-eventhubs-kafka](eventhubs/spring-cloud-azure-starter/spring-cloud-azure-sample-eventhubs-kafka) | -| Event Hubs | [spring-cloud-azure-starter-integration-eventhubs:4.0.0-beta.4] | [eventhubs-integration](eventhubs/spring-cloud-azure-starter-integration-eventhubs/eventhubs-integration) | -| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-binder](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-binder) | -| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-multibinders](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-multibinders) | -| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-client-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-client-side) | -| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-server-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-server-side) | -| Key Vault | | [run-with-command-line-server-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-server-side) | -| Key Vault | | [run-with-command-line-client-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-client-side) | -| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [multiple-property-source](keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source) | -| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [single-property-source](keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source) | -| Service Bus | [spring-cloud-azure-starter-servicebus-jms:4.0.0-beta.4] | [servicebus-jms-queue](servicebus/spring-cloud-azure-starter-servicebus-jms/servicebus-jms-queue) | -| Service Bus | [spring-cloud-azure-starter-servicebus-jms:4.0.0-beta.4] | [servicebus-jms-topic](servicebus/spring-cloud-azure-starter-servicebus-jms/servicebus-jms-topic) | -| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [single-namespace](servicebus/spring-cloud-azure-starter-integration-servicebus/single-namespace) | -| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [multiple-namespaces](servicebus/spring-cloud-azure-starter-integration-servicebus/multiple-namespaces) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-queue-binder) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-multibinders](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-multibinders) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-topic-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-topic-binder) | -| Storage | [spring-cloud-azure-starter-storage-blob:4.0.0-beta.4] | [storage-blob-sample](storage/spring-cloud-azure-starter-storage-blob/storage-blob-sample) -| Storage | [spring-cloud-azure-starter-storage-file-share:4.0.0-beta.4] | [storage-file-sample](storage/spring-cloud-azure-starter-storage-file-share/storage-file-sample) | -| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-integration](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-integration) | -| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-operation](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-operation) | +| Azure Service | Spring Cloud Azure Starter Dependency | Sample Project | +|-------------------|---------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +| AAD | [spring-cloud-azure-starter-active-directory-b2c:4.0.0-beta.4] | [aad-b2c-resource-server](aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server) | +| AAD | [spring-cloud-azure-starter-active-directory-b2c:4.0.0-beta.4] | [aad-b2c-web-application](aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-web-application) | +| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-by-filter-stateless](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless) | +| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-by-filter](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter) | +| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [web-client-access-resource-server](aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server) | +| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-webapp-resource-server](aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server) | +| App Configuration | [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [azure-appconfiguration-conversion-sample-initial](appconfiguration/azure-appconfiguration-conversion-sample-initial) | +| App Configuration | [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-sample](appconfiguration/azure-appconfiguration-sample) | +| App Configuration | [azure-spring-cloud-feature-management:2.2.0] | [feature-management-sample](appconfiguration/feature-management-sample) | +| App Configuration | [azure-spring-cloud-feature-management:2.2.0] | [feature-management-web-sample](appconfiguration/feature-management-web-sample) | +| App Configuration | [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-conversion-sample-complete](appconfiguration/azure-appconfiguration-conversion-sample-complete) | +| Cache | N/A | [azure-spring-cloud-sample-cache](cache/spring-cloud-azure-starter/spring-cloud-azure-sample-cache) | +| Cloud Foundry | N/A | [azure-cloud-foundry-service-sample](cloudfoundry/azure-cloud-foundry-service-sample) | +| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-multi-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-multi-account) | +| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-single-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-single-account) | +| Cosmos DB | [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [spring-cloud-azure-data-cosmos-sample](cosmos/spring-cloud-azure-starter-data-cosmos/spring-cloud-azure-data-cosmos-sample) | +| Cosmos DB | [spring-cloud-azure-starter-cosmos:4.0.0-beta.4] | [spring-cloud-azure-cosmos-sample](cosmos/spring-cloud-azure-starter-cosmos/spring-cloud-azure-cosmos-sample) | +| Event Hubs | N/A | [spring-cloud-azure-sample-eventhubs-kafka](eventhubs/spring-cloud-azure-starter/spring-cloud-azure-sample-eventhubs-kafka) | +| Event Hubs | [spring-cloud-azure-starter-integration-eventhubs:4.0.0-beta.4] | [eventhubs-integration](eventhubs/spring-cloud-azure-starter-integration-eventhubs/eventhubs-integration) | +| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-binder](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-binder) | +| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-multibinders](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-multibinders) | +| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-client-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-client-side) | +| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-server-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-server-side) | +| Key Vault | | [run-with-command-line-server-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-server-side) | +| Key Vault | | [run-with-command-line-client-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-client-side) | +| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [multiple-property-source](keyvault/spring-cloud-azure-starter-keyvault-secrets/multiple-property-source) | +| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [single-property-source](keyvault/spring-cloud-azure-starter-keyvault-secrets/single-property-source) | +| Service Bus | [spring-cloud-azure-starter-servicebus-jms:4.0.0-beta.4] | [servicebus-jms-queue](servicebus/spring-cloud-azure-starter-servicebus-jms/servicebus-jms-queue) | +| Service Bus | [spring-cloud-azure-starter-servicebus-jms:4.0.0-beta.4] | [servicebus-jms-topic](servicebus/spring-cloud-azure-starter-servicebus-jms/servicebus-jms-topic) | +| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [single-namespace](servicebus/spring-cloud-azure-starter-integration-servicebus/single-namespace) | +| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [multiple-namespaces](servicebus/spring-cloud-azure-starter-integration-servicebus/multiple-namespaces) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-queue-binder) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-multibinders](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-multibinders) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-topic-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-topic-binder) | +| Storage | [spring-cloud-azure-starter-storage-blob:4.0.0-beta.4] | [storage-blob-sample](storage/spring-cloud-azure-starter-storage-blob/storage-blob-sample) | +| Storage | [spring-cloud-azure-starter-storage-file-share:4.0.0-beta.4] | [storage-file-sample](storage/spring-cloud-azure-starter-storage-file-share/storage-file-sample) | +| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-integration](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-integration) | +| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-operation](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-operation) | ## Running Samples With Terraform With [terraform](https://www.terraform.io/) scripts and [DefaultAzureCredential](https://microsoft.github.io/spring-cloud-azure/current/reference/html/index.html#defaultazurecredential), most samples in the project can be run with the same 4 steps below: diff --git a/pom.xml b/pom.xml index 4371f983b..3d68f8d4c 100644 --- a/pom.xml +++ b/pom.xml @@ -30,11 +30,9 @@ - aad/spring-cloud-azure-starter-active-directory/aad-resource-server + aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless - aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo - aad/spring-cloud-azure-starter-active-directory/aad-web-application aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-web-application aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server From f39a888364f95e5b57834006c9637b1e44c13753 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 20:19:14 +0800 Subject: [PATCH 16/38] update scripts --- .../run_all.sh | 11 + .../terraform/main.tf | 226 +++++++++++++++++- .../terraform/outputs.tf | 38 ++- .../terraform/set_identifier_uris.sh | 15 ++ .../terraform/setup_env.sh | 54 ++++- .../oauth2/spring-cloud-gateway/run_all.sh | 3 +- .../client-access-resource-server/run_all.sh | 3 +- .../run_all.sh | 5 +- .../run_all.sh | 5 +- 9 files changed, 329 insertions(+), 31 deletions(-) create mode 100644 aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh create mode 100644 aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/set_identifier_uris.sh diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh new file mode 100644 index 000000000..d59b3cfa7 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +mvn clean package spring-boot:repackage -DskipTests + +# aad-resource-server 8082 +# aad-resource-server 8081 +# aad-web-application 8080 +kill -9 $(lsof -t -i tcp:8080) +kill -9 $(lsof -t -i tcp:8081) +kill -9 $(lsof -t -i tcp:8082) + diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf index ce72a064a..abcb6a800 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf @@ -8,13 +8,33 @@ terraform { source = "hashicorp/random" version = "3.1.0" } + null = { + source = "hashicorp/null" + version = "3.1.0" + } } } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false +} + +# used to expose api +resource "random_uuid" "webApiAOboGraph" { +} + +resource "random_uuid" "webApiAOboExample" { +} + +resource "random_uuid" "webApiB" { +} + +resource "random_uuid" "webApiC" { +} + +resource "random_uuid" "WebApiB_ClientCredential_ExampleScope" { } data "azuread_client_config" "current" {} @@ -23,7 +43,7 @@ data "azuread_client_config" "current" {} provider "azuread" { } -# Configure webapp +# ====================Configure webapp==================== resource "azuread_application" "webapp" { display_name = "webapp" @@ -75,7 +95,7 @@ resource "azuread_service_principal" "webapp" { owners = [data.azuread_client_config.current.object_id] } -resource "azuread_application_password" "webapp_resourceserver" { +resource "azuread_application_password" "webapp" { application_object_id = azuread_application.webapp.object_id } @@ -94,7 +114,7 @@ resource "azuread_service_principal" "management" { resource "azuread_service_principal_delegated_permission_grant" "graph" { service_principal_object_id = azuread_service_principal.webapp.object_id resource_service_principal_object_id = azuread_service_principal.msgraph.object_id - claim_values = ["Directory.Read.All","User.Read"] + claim_values = ["Directory.Read.All", "User.Read"] } resource "azuread_service_principal_delegated_permission_grant" "management" { @@ -103,6 +123,183 @@ resource "azuread_service_principal_delegated_permission_grant" "management" { claim_values = ["user_impersonation"] } +# ====================Configure webApiB==================== +resource "azuread_application" "webApiB" { + display_name = "webApiB" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "WebApiB.ExampleScope" + admin_consent_display_name = "WebApiB.ExampleScope" + enabled = true + id = random_uuid.webApiB.result + type = "User" + value = "WebApiB.ExampleScope" + } + } + + app_role { + allowed_member_types = ["User"] + description = "WebApiB.ClientCredential.ExampleScope" + display_name = "WebApiB.ClientCredential.ExampleScope" + enabled = true + id = random_uuid.WebApiB_ClientCredential_ExampleScope.result + value = "WebApiB.ClientCredential.ExampleScope" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + +resource "azuread_service_principal" "webApiB" { + application_id = azuread_application.webApiB.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +# ====================Configure webApiC==================== +resource "azuread_application" "webApiC" { + display_name = "webApiC" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "WebApiC.ExampleScope" + admin_consent_display_name = "WebApiC.ExampleScope" + enabled = true + id = random_uuid.webApiC.result + type = "User" + value = "WebApiC.ExampleScope" + } + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + +resource "azuread_service_principal" "webApiC" { + application_id = azuread_application.webApiC.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +# ====================Configure webApiA==================== +resource "azuread_application" "webApiA" { + display_name = "webApiA" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "Obo.Graph.Read" + admin_consent_display_name = "Obo.Graph.Read" + enabled = true + id = random_uuid.webApiAOboGraph.result + type = "User" + value = "Obo.Graph.Read" + } + + # `Obo.Graph.Read` + oauth2_permission_scope { + admin_consent_description = "Obo.Graph.Read" + admin_consent_display_name = "Obo.Graph.Read" + enabled = true + id = random_uuid.webApiAOboGraph.result + type = "User" + value = "Obo.Graph.Read" + } + + # `Obo.WebApiA.ExampleScope` + oauth2_permission_scope { + admin_consent_description = "Obo.WebApiA.ExampleScope" + admin_consent_display_name = "Obo.WebApiA.ExampleScope" + enabled = true + id = random_uuid.webApiAOboExample.result + type = "User" + value = "Obo.WebApiA.ExampleScope" + } + + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.webApiB.application_id # webApiB + + # need grant + resource_access { + id = random_uuid.webApiB.result # WebApiB.ExampleScope + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.webApiC.application_id # webApiC + + # need grant + resource_access { + id = random_uuid.webApiC.result # WebApiC.ExampleScope + type = "Scope" + } + } +} + +resource "azuread_service_principal" "webApiA" { + application_id = azuread_application.webApiA.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_application_password" "webApiA" { + application_object_id = azuread_application.webApiA.object_id +} + +resource "azuread_service_principal_delegated_permission_grant" "webApiB" { + service_principal_object_id = azuread_service_principal.webApiA.object_id + resource_service_principal_object_id = azuread_service_principal.webApiB.object_id + claim_values = ["WebApiB.ExampleScope"] +} + +resource "azuread_service_principal_delegated_permission_grant" "webApiC" { + service_principal_object_id = azuread_service_principal.webApiA.object_id + resource_service_principal_object_id = azuread_service_principal.webApiC.object_id + claim_values = ["WebApiC.ExampleScope"] +} + # Retrieve domain information data "azuread_domains" "example" { only_initial = true @@ -114,3 +311,20 @@ resource "azuread_user" "user" { display_name = "webapp-${random_string.random.result}" password = "Azure123456@" } + +# assign role to user +resource "azuread_app_role_assignment" "webApiB_User" { + app_role_id = random_uuid.WebApiB_ClientCredential_ExampleScope.result + principal_object_id = azuread_user.user.object_id + resource_object_id = azuread_service_principal.webApiB.object_id +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.webApiC.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf index f9b1ce414..57f2b0f22 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf @@ -1,26 +1,48 @@ output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id + value = data.azuread_client_config.current.tenant_id description = "The application id." } +# ------WEB_APP------ output "AZURE_CLIENT_ID" { - value = azuread_application.webapp.application_id + value = azuread_application.webapp.application_id description = "The application id." } output "AZURE_CLIENT_SECRET" { - value = azuread_application_password.webapp_resourceserver.value - sensitive = true + value = azuread_application_password.webapp.value + sensitive = true description = "A secret string the application uses to prove its identity." } -output "USER_PASSWORD" { - value = azuread_user.user.password +# ------WebApiA------ +output "WEB_API_A_CLIENT_ID" { + value = azuread_application.webApiA.application_id +} + +output "WEB_API_A_CLIENT_SECRET" { + value = azuread_application_password.webApiA.value sensitive = true +} + +# ------WebApiB------ +output "WEB_API_B_CLIENT_ID" { + value = azuread_application.webApiB.application_id +} + +# ------WebApiC------ +output "WEB_API_C_CLIENT_ID" { + value = azuread_application.webApiC.application_id +} + +# ------User------ +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true description = "The password of the user created by terraform." } -output "USER_PRINCIPAL_NAME" { - value = azuread_user.user.user_principal_name +output "USER_NAME" { + value = azuread_user.user.user_principal_name description = "The user name of the user created by terraform." } \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..825608218 --- /dev/null +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/set_identifier_uris.sh @@ -0,0 +1,15 @@ +# set identifier_uris +# webApiA WEB_API_A_CLIENT_ID +WEB_API_A_CLIENT_ID=$(terraform output -raw WEB_API_A_CLIENT_ID) +echo "----------update identifier-uris for WEB_API_A----------" +az ad app update --id $WEB_API_A_CLIENT_ID --identifier-uris api://$WEB_API_A_CLIENT_ID + +# webApiB WEB_API_B_CLIENT_ID +WEB_API_B_CLIENT_ID=$(terraform output -raw WEB_API_B_CLIENT_ID) +echo "----------update identifier-uris for WEB_API_B----------" +az ad app update --id $WEB_API_B_CLIENT_ID --identifier-uris api://$WEB_API_B_CLIENT_ID + +# webApiC WEB_API_C_CLIENT_ID +WEB_API_C_CLIENT_ID=$(terraform output -raw WEB_API_C_CLIENT_ID) +echo "----------update identifier-uris for WEB_API_C----------" +az ad app update --id $WEB_API_C_CLIENT_ID --identifier-uris api://$WEB_API_C_CLIENT_ID \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh index 48fa4140c..b8af182a1 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh @@ -1,13 +1,53 @@ -export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) -export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) -export AZURE_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_SECRET) -export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) -export USER_PRINCIPAL_NAME=$(terraform -chdir=./terraform output -raw USER_PRINCIPAL_NAME) +terraformpath=`pwd` +export AZURE_TENANT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_TENANT_ID) +# WEB_APP +export AZURE_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_CLIENT_ID) +export AZURE_CLIENT_SECRET=$(terraform -chdir=$terraformpath output -raw AZURE_CLIENT_SECRET) + +# WEB_API_A +export WEB_API_A_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_A_CLIENT_ID) +export WEB_API_A_CLIENT_SECRET=$(terraform -chdir=$terraformpath output -raw WEB_API_A_CLIENT_SECRET) +export WEB_API_A_APP_ID_URL=api://$WEB_API_A_CLIENT_ID + +# WEB_API_B +export WEB_API_B_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_B_CLIENT_ID) +export WEB_API_B_APP_ID_URL=api://$WEB_API_B_CLIENT_ID + +# WEB_API_C +export WEB_API_C_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_C_CLIENT_ID) +export WEB_API_C_APP_ID_URL=api://$WEB_API_C_CLIENT_ID + +# user +export USER_PASSWORD=$(terraform -chdir=$terraformpath output -raw USER_PASSWORD) +export USER_NAME=$(terraform -chdir=$terraformpath output -raw USER_NAME) + +# echo================ echo AZURE_TENANT_ID=$AZURE_TENANT_ID + +# WEB_APP +echo "================WEB_APP================" echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID echo AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -echo "--------created user--------" -echo USER_PRINCIPAL_NAME=$USER_PRINCIPAL_NAME +echo "================WEB_API_A================" +# WEB_API_A +echo WEB_API_A_CLIENT_ID=$WEB_API_A_CLIENT_ID +echo WEB_API_A_CLIENT_SECRET=$WEB_API_A_CLIENT_SECRET +echo WEB_API_A_APP_ID_URL=$WEB_API_A_APP_ID_URL + +# WEB_API_B +echo "================WEB_API_B================" +echo WEB_API_B_CLIENT_ID=$WEB_API_B_CLIENT_ID +echo WEB_API_B_APP_ID_URL=$WEB_API_B_APP_ID_URL + +# WEB_API_C +echo "================WEB_API_C================" +echo WEB_API_C_CLIENT_ID=$WEB_API_C_CLIENT_ID +echo WEB_API_C_APP_ID_URL=$WEB_API_C_APP_ID_URL + +# user +echo "====================================" +echo "================User================" +echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh index 936d40622..f54825c92 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -16,7 +16,8 @@ nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar gateway/target/*.jar > target/gateway.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & -echo "All apps started" +echo "All apps started, please check target folder for logs." + tail -f target/client.log -f target/gateway.log -f target/resource-server-1.log -f target/resource-server-2.log # you can kill the process with port diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh index 09a497e11..6005ede5e 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh @@ -13,7 +13,8 @@ mkdir -p target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar resource-server/target/*.jar > target/resource-server-1.log 2>&1 & sleep 10 -echo "All apps started" +echo "All apps started, please check target folder for logs." + tail -f target/client.log -f target/resource-server.log diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh index 09a497e11..78ba78505 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh @@ -13,9 +13,6 @@ mkdir -p target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar resource-server/target/*.jar > target/resource-server-1.log 2>&1 & sleep 10 -echo "All apps started" +echo "All apps started, please check target folder for logs." tail -f target/client.log -f target/resource-server.log - -# you can kill the process with port -# kill -9 $(lsof -t -i tcp:) \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh index 82f13916c..a38e9ea4a 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh @@ -16,9 +16,6 @@ nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & sleep 10 -echo "All apps started" +echo "All apps started, please check target folder for logs." tail -f target/client.log -f target/resource-server-1.log -f target/resource-server-2.log - -# you can kill the process with port -# kill -9 $(lsof -t -i tcp:) \ No newline at end of file From 84987239628578223a8b03397b353bf319790717 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 22:11:11 +0800 Subject: [PATCH 17/38] update scripts to each sample --- .../README.md | 6 +- .../terraform/README.md | 2 - .../terraform/README.md | 3 +- .../README.md | 5 +- .../README.md | 103 ++++++++ .../webflux/oauth2/spring-cloud-gateway.md | 3 +- .../client-access-multiple-resource-server.md | 2 + .../oauth2/client-access-resource-server.md | 3 +- .../docs/servlet/oauth2/login.md | 4 +- ...k-permissions-by-claims-in-access-token.md | 3 +- ...source-server-support-on-behalf-of-flow.md | 3 +- .../oauth2/spring-cloud-gateway}/README.md | 7 +- .../oauth2/spring-cloud-gateway/run_all.sh | 5 +- .../spring-cloud-gateway}/terraform/main.tf | 0 .../terraform/outputs.tf | 0 .../terraform/set_identifier_uris.sh | 6 +- .../terraform/setup_env.sh | 0 .../README.md | 104 ++++++++ .../run_all.sh | 14 +- .../terraform/main.tf | 249 ++++++++++++++++++ .../terraform/outputs.tf | 34 +++ .../terraform/set_identifier_uris.sh | 11 + .../terraform/setup_env.sh | 19 ++ .../client-access-resource-server/README.md | 104 ++++++++ .../client-access-resource-server/run_all.sh | 26 +- .../terraform/main.tf | 249 ++++++++++++++++++ .../terraform/outputs.tf | 34 +++ .../terraform/set_identifier_uris.sh | 11 + .../terraform/setup_env.sh | 19 ++ .../servlet/oauth2/login/README.md | 104 ++++++++ .../servlet/oauth2/login/run_all.sh | 28 ++ .../README.md | 104 ++++++++ .../run_all.sh | 23 +- .../terraform/main.tf | 249 ++++++++++++++++++ .../terraform/outputs.tf | 34 +++ .../terraform/set_identifier_uris.sh | 11 + .../terraform/setup_env.sh | 19 ++ .../README.md | 104 ++++++++ .../run_all.sh | 25 +- .../terraform/main.tf | 249 ++++++++++++++++++ .../terraform/outputs.tf | 34 +++ .../terraform/set_identifier_uris.sh | 11 + .../terraform/setup_env.sh | 19 ++ 43 files changed, 2001 insertions(+), 42 deletions(-) rename aad/spring-security/{terraform => reactive/webflux/oauth2/spring-cloud-gateway}/README.md (92%) rename aad/spring-security/{ => reactive/webflux/oauth2/spring-cloud-gateway}/terraform/main.tf (100%) rename aad/spring-security/{ => reactive/webflux/oauth2/spring-cloud-gateway}/terraform/outputs.tf (100%) rename aad/spring-security/{ => reactive/webflux/oauth2/spring-cloud-gateway}/terraform/set_identifier_uris.sh (65%) rename aad/spring-security/{ => reactive/webflux/oauth2/spring-cloud-gateway}/terraform/setup_env.sh (100%) create mode 100644 aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md create mode 100644 aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf create mode 100644 aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf create mode 100644 aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/set_identifier_uris.sh create mode 100644 aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh create mode 100644 aad/spring-security/servlet/oauth2/client-access-resource-server/README.md create mode 100644 aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf create mode 100644 aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf create mode 100644 aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh create mode 100644 aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/setup_env.sh create mode 100644 aad/spring-security/servlet/oauth2/login/README.md create mode 100644 aad/spring-security/servlet/oauth2/login/run_all.sh create mode 100644 aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md create mode 100644 aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf create mode 100644 aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf create mode 100644 aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh create mode 100644 aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh create mode 100644 aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md create mode 100644 aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf create mode 100644 aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf create mode 100644 aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/set_identifier_uris.sh create mode 100644 aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md index 1b989ebbf..ac0e3de3d 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md @@ -61,7 +61,11 @@ Furthermore enable the implicit flow in the manifest for the demo application "oauth2AllowImplicitFlow": "true", ``` -## Examples +## Running Sample With Terraform +Please refer to [README.md](terraform/README.md) if you want to start the sample with Terraform in just a few steps. + +## Running Sample Step by Step + ### Configure the sample #### Configure application.properties diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md index f22077ff4..652635460 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md @@ -1,7 +1,5 @@ # Spring Boot application with Azure Active Directory -This guide demonstrates how to provision Azure Resources with terraform. - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md index f22077ff4..32f40e06c 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md @@ -90,7 +90,8 @@ mvn clean spring-boot:run ``` ## Verify This Sample - +If running locally, browse to http://localhost:8080 and click Login or Todo List, your browser will be redirected to https://login.microsoftonline.com/ for authentication. +Upon successful login, Todo List will give you a default item and you can perform add, update or delete operation. The backend RESTful API will accept or deny your request based on authenticated user roles. ## Clean Up Resources After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md index f1e16039d..5fb58c578 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md @@ -4,7 +4,10 @@ This scenario supports `Web application` and `Resource server` in one application. -## Getting started +## Running Sample With Terraform +Please refer to [README.md](terraform/README.md) if you want to start the sample with Terraform in just a few steps. + +## Running Sample Step by Step We assume that when used as a Resource server, it is called `WebApiC`; when used as a Web application, it is called `WebApp2`. diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md index e69de29bb..15a77124a 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md @@ -0,0 +1,103 @@ +# Spring Boot application with Azure Active Directory + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# Into the directory of client-access-multiple-resource-server +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `source run_all.sh`. + +```shell +source run_all.sh +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md b/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md index adbd13f0d..ebf2a78da 100644 --- a/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md +++ b/aad/spring-security/docs/reactive/webflux/oauth2/spring-cloud-gateway.md @@ -33,7 +33,8 @@ Get samples applications from in GitHub: [spring-cloud-gateway](../../../../reac # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant#create-a-new-azure-ad-tenant), create a new tenant. Get the tenant-id: **${TENANT_ID}**. +Read [document about creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant#create-a-new-azure-ad-tenant), create a new tenant. Get the tenant-id: **${TENANT_ID}**. +> After creating a new tenant, You can refer to [README.md](../../../../reactive/webflux/oauth2/spring-cloud-gateway/README.md) if you want to start the sample without the knowledge of step by step. ## 3.2. Add a new user Read [document about adding users](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory), add a new user: **user-1@${tenant-name}.com**. Get the user's password. diff --git a/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md b/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md index b0cbc759f..0639f36ad 100644 --- a/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md +++ b/aad/spring-security/docs/servlet/oauth2/client-access-multiple-resource-server.md @@ -35,6 +35,8 @@ Get samples applications from in GitHub: [client-access-multiple-resource-server ## 3.1. Create a tenant Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +> After creating a new tenant, You can refer to [README.md](../../../servlet/oauth2/client-access-multiple-resource-server/README.md) if you want to start the sample without the knowledge of step by step. + ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. diff --git a/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md b/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md index 84e2eca48..51b83c9ba 100644 --- a/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md +++ b/aad/spring-security/docs/servlet/oauth2/client-access-resource-server.md @@ -33,7 +33,8 @@ Get samples applications from in GitHub: [client-access-resource-server]. # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +> After creating a new tenant, You can refer to [README.md](../../../servlet/oauth2/client-access-resource-server/README.md) if you want to start the sample without the knowledge of step by step. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. diff --git a/aad/spring-security/docs/servlet/oauth2/login.md b/aad/spring-security/docs/servlet/oauth2/login.md index 592f65694..d9ab09038 100644 --- a/aad/spring-security/docs/servlet/oauth2/login.md +++ b/aad/spring-security/docs/servlet/oauth2/login.md @@ -27,7 +27,8 @@ Get samples applications from in GitHub: [login]. # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +> After creating a new tenant, You can refer to [README] if you want to start the sample without the knowledge of step by step. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. @@ -76,6 +77,7 @@ Read [document about adding a redirect URI], add redirect URI: **http://localhos [document about exposing an api]: https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-expose-web-apis [document about Application manifest]: https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute [login]: ../../../servlet/oauth2/login +[README]: ../../../servlet/oauth2/login/README.md [Edge]: https://www.microsoft.com/edge?r=1 [InPrivate window]: https://support.microsoft.com/microsoft-edge/browse-inprivate-in-microsoft-edge-cd2c9a48-0bc4-b98e-5e46-ac40c84e27e2 [rfc6749]: https://datatracker.ietf.org/doc/html/rfc6749 diff --git a/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md b/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md index a039b2ff3..46e5485bf 100644 --- a/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md +++ b/aad/spring-security/docs/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token.md @@ -35,7 +35,8 @@ Get samples applications from in GitHub: [resource-server-check-permissions-by-c # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +> After creating a new tenant, You can refer to [README.md](../../../servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md) if you want to start the sample without the knowledge of step by step. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. diff --git a/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md b/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md index 73d34b49a..c56840b72 100644 --- a/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md +++ b/aad/spring-security/docs/servlet/oauth2/resource-server-support-on-behalf-of-flow.md @@ -40,7 +40,8 @@ Get samples applications from in GitHub: [resource-server-support-on-behalf-of-f # 3. Create resources in Azure ## 3.1. Create a tenant -Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +Read [document about creating an Azure AD tenant], create a new tenant. Get the tenant-id: **${TENANT_ID}**. +> After creating a new tenant, You can refer to [README.md](../../../servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md) if you want to start the sample without the knowledge of step by step. ## 3.2. Add a new user Read [document about adding users], add a new user: **user-1@${tenant-name}.com**. Get the user's password. diff --git a/aad/spring-security/terraform/README.md b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md similarity index 92% rename from aad/spring-security/terraform/README.md rename to aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md index f22077ff4..4754631e9 100644 --- a/aad/spring-security/terraform/README.md +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory -This guide demonstrates how to provision Azure Resources with terraform. ## What You Need @@ -53,7 +52,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# In the specific sample's directory, where contains pom.xml. +# Into the directory of client-access-multiple-resource-server # Initialize your Terraform configuration terraform -chdir=./terraform init @@ -83,10 +82,10 @@ source ./terraform/setup_env.sh ## Run Locally -In your current terminal, run `mvn clean spring-boot:run`. +In your current terminal, run `source run_all.sh`. ```shell -mvn clean spring-boot:run +source run_all.sh ``` ## Verify This Sample diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh index f54825c92..a8fb01d13 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -11,7 +11,7 @@ export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output echo "Running apps" -mkdir -p target +mkdir -p .target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar gateway/target/*.jar > target/gateway.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & @@ -19,6 +19,3 @@ nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2 echo "All apps started, please check target folder for logs." tail -f target/client.log -f target/gateway.log -f target/resource-server-1.log -f target/resource-server-2.log - -# you can kill the process with port -# kill -9 $(lsof -t -i tcp:) \ No newline at end of file diff --git a/aad/spring-security/terraform/main.tf b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf similarity index 100% rename from aad/spring-security/terraform/main.tf rename to aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf diff --git a/aad/spring-security/terraform/outputs.tf b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/outputs.tf similarity index 100% rename from aad/spring-security/terraform/outputs.tf rename to aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/outputs.tf diff --git a/aad/spring-security/terraform/set_identifier_uris.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/set_identifier_uris.sh similarity index 65% rename from aad/spring-security/terraform/set_identifier_uris.sh rename to aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/set_identifier_uris.sh index a2690713b..9510b7167 100644 --- a/aad/spring-security/terraform/set_identifier_uris.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/set_identifier_uris.sh @@ -2,8 +2,10 @@ RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) # set identifier_uris +echo "----------update identifier-uris for RESOURCE_SERVER_1----------" az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID -az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID - +echo "----------update identifier-uris for RESOURCE_SERVER_2----------" +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID +echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/terraform/setup_env.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/setup_env.sh similarity index 100% rename from aad/spring-security/terraform/setup_env.sh rename to aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/setup_env.sh diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md new file mode 100644 index 000000000..4754631e9 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md @@ -0,0 +1,104 @@ +# Spring Boot application with Azure Active Directory + + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# Into the directory of client-access-multiple-resource-server +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `source run_all.sh`. + +```shell +source run_all.sh +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh index a6a8d68be..096b9d23a 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -4,8 +4,11 @@ kill -9 $(lsof -t -i tcp:8080) kill -9 $(lsof -t -i tcp:8081) kill -9 $(lsof -t -i tcp:8082) +mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl com.azure.spring:servlet-oauth2-client-access-multiple-resource-server-client-application,\ +com.azure.spring:servlet-oauth2-client-access-multiple-resource-server-resource-server-1-application,\ +com.azure.spring:servlet-oauth2-client-access-multiple-resource-server-resource-server-2-application -export terraform_path="../../../terraform" +export terraform_path="./terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) @@ -16,14 +19,15 @@ export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) -echo "--------created user--------" -echo USER_NAME=$USER_NAME -echo USER_PASSWORD=$USER_PASSWORD echo "--------Running apps--------" -mkdir -p target +mkdir -p .target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & sleep 10 echo "All apps started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf new file mode 100644 index 000000000..7c0b098fd --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf @@ -0,0 +1,249 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.19.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +resource "random_string" "random" { + length = 5 + min_lower = 5 + special = false +} + +resource "random_uuid" "resource-server-1-scope-1" { +} + +resource "random_uuid" "resource-server-1-scope-2" { +} + +resource "random_uuid" "resource-server-2-scope-1" { +} + +resource "random_uuid" "resource-server-2-scope-2" { +} + +resource "random_uuid" "resource-server-1-role-1" { +} + +resource "random_uuid" "resource-server-1-role-2" { +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure client-1 +resource "azuread_application" "client-1" { + display_name = "client-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-2"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + +# Configure resource-server-2 +resource "azuread_application" "resource-server-2" { + display_name = "resource-server-2" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-1" + admin_consent_display_name = "resource-server-2.scope-1" + enabled = true + id = random_uuid.resource-server-2-scope-1.result + type = "User" + value = "resource-server-2.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-2" + admin_consent_display_name = "resource-server-2.scope-2" + enabled = true + id = random_uuid.resource-server-2-scope-2.result + type = "User" + value = "resource-server-2.scope-2" + } + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + + +# Configure resource-server-1 +resource "azuread_application" "resource-server-1" { + display_name = "resource-server-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-1" + admin_consent_display_name = "resource-server-1.scope-1" + enabled = true + id = random_uuid.resource-server-1-scope-1.result + type = "User" + value = "resource-server-1.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-2" + admin_consent_display_name = "resource-server-1.scope-2" + enabled = true + id = random_uuid.resource-server-1-scope-2.result + type = "User" + value = "resource-server-1.scope-2" + } + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-2" + display_name = "resource-server-1-role-2" + enabled = true + id = random_uuid.resource-server-1-role-2.result + value = "resource-server-1-role-2" + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-1" + display_name = "resource-server-1-role-1" + enabled = true + id = random_uuid.resource-server-1-role-1.result + value = "resource-server-1-role-1" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + + # need grant + resource_access { + id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + } +} + +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.resource-server-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id + claim_values = ["resource-server-2.scope-1"] +} + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-1" { + application_id = azuread_application.resource-server-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-2" { + application_id = azuread_application.resource-server-2.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +resource "azuread_application_password" "resource-server-1" { + application_object_id = azuread_application.resource-server-1.object_id +} + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Azure123456@" +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.resource-server-1.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf new file mode 100644 index 000000000..31573b191 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf @@ -0,0 +1,34 @@ +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + +output "RESOURCE_SERVER_1_CLIENT_ID" { + value = azuread_application.resource-server-1.application_id +} + +output "RESOURCE_SERVER_2_CLIENT_ID" { + value = azuread_application.resource-server-2.application_id +} + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + +output "RESOURCE_SERVER_1_CLIENT_SECRET" { + value = azuread_application_password.resource-server-1.value + sensitive = true +} + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/set_identifier_uris.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..9510b7167 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/set_identifier_uris.sh @@ -0,0 +1,11 @@ +RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) + +# set identifier_uris +echo "----------update identifier-uris for RESOURCE_SERVER_1----------" +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID + +echo "----------update identifier-uris for RESOURCE_SERVER_2----------" +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + +echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh new file mode 100644 index 000000000..926eb7c26 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh @@ -0,0 +1,19 @@ +export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD + diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md b/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md new file mode 100644 index 000000000..4754631e9 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md @@ -0,0 +1,104 @@ +# Spring Boot application with Azure Active Directory + + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# Into the directory of client-access-multiple-resource-server +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `source run_all.sh`. + +```shell +source run_all.sh +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh index 6005ede5e..bf3afcf4a 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh @@ -1,22 +1,32 @@ #!/usr/bin/env bash -export terraform_path="../../../terraform" +kill -9 $(lsof -t -i tcp:8080) +kill -9 $(lsof -t -i tcp:8081) + +mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl \ +com.azure.spring:servlet-oauth2-client-access-resource-server-client-application,\ +com.azure.spring:servlet-oauth2-client-access-resource-server-resource-server-application + +export terraform_path="./terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) echo "Running apps" -mkdir -p target +mkdir -p .target +echo "Running app client---------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & +echo "Running resource-server ---------" nohup java -jar resource-server/target/*.jar > target/resource-server-1.log 2>&1 & sleep 10 -echo "All apps started, please check target folder for logs." - -tail -f target/client.log -f target/resource-server.log - -# you can kill the process with port -# kill -9 $(lsof -t -i tcp:) \ No newline at end of file +echo "All apps started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf new file mode 100644 index 000000000..7c0b098fd --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf @@ -0,0 +1,249 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.19.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +resource "random_string" "random" { + length = 5 + min_lower = 5 + special = false +} + +resource "random_uuid" "resource-server-1-scope-1" { +} + +resource "random_uuid" "resource-server-1-scope-2" { +} + +resource "random_uuid" "resource-server-2-scope-1" { +} + +resource "random_uuid" "resource-server-2-scope-2" { +} + +resource "random_uuid" "resource-server-1-role-1" { +} + +resource "random_uuid" "resource-server-1-role-2" { +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure client-1 +resource "azuread_application" "client-1" { + display_name = "client-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-2"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + +# Configure resource-server-2 +resource "azuread_application" "resource-server-2" { + display_name = "resource-server-2" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-1" + admin_consent_display_name = "resource-server-2.scope-1" + enabled = true + id = random_uuid.resource-server-2-scope-1.result + type = "User" + value = "resource-server-2.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-2" + admin_consent_display_name = "resource-server-2.scope-2" + enabled = true + id = random_uuid.resource-server-2-scope-2.result + type = "User" + value = "resource-server-2.scope-2" + } + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + + +# Configure resource-server-1 +resource "azuread_application" "resource-server-1" { + display_name = "resource-server-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-1" + admin_consent_display_name = "resource-server-1.scope-1" + enabled = true + id = random_uuid.resource-server-1-scope-1.result + type = "User" + value = "resource-server-1.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-2" + admin_consent_display_name = "resource-server-1.scope-2" + enabled = true + id = random_uuid.resource-server-1-scope-2.result + type = "User" + value = "resource-server-1.scope-2" + } + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-2" + display_name = "resource-server-1-role-2" + enabled = true + id = random_uuid.resource-server-1-role-2.result + value = "resource-server-1-role-2" + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-1" + display_name = "resource-server-1-role-1" + enabled = true + id = random_uuid.resource-server-1-role-1.result + value = "resource-server-1-role-1" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + + # need grant + resource_access { + id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + } +} + +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.resource-server-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id + claim_values = ["resource-server-2.scope-1"] +} + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-1" { + application_id = azuread_application.resource-server-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-2" { + application_id = azuread_application.resource-server-2.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +resource "azuread_application_password" "resource-server-1" { + application_object_id = azuread_application.resource-server-1.object_id +} + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Azure123456@" +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.resource-server-1.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf new file mode 100644 index 000000000..31573b191 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf @@ -0,0 +1,34 @@ +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + +output "RESOURCE_SERVER_1_CLIENT_ID" { + value = azuread_application.resource-server-1.application_id +} + +output "RESOURCE_SERVER_2_CLIENT_ID" { + value = azuread_application.resource-server-2.application_id +} + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + +output "RESOURCE_SERVER_1_CLIENT_SECRET" { + value = azuread_application_password.resource-server-1.value + sensitive = true +} + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..9510b7167 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh @@ -0,0 +1,11 @@ +RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) + +# set identifier_uris +echo "----------update identifier-uris for RESOURCE_SERVER_1----------" +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID + +echo "----------update identifier-uris for RESOURCE_SERVER_2----------" +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + +echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/setup_env.sh new file mode 100644 index 000000000..926eb7c26 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/setup_env.sh @@ -0,0 +1,19 @@ +export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD + diff --git a/aad/spring-security/servlet/oauth2/login/README.md b/aad/spring-security/servlet/oauth2/login/README.md new file mode 100644 index 000000000..4754631e9 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/login/README.md @@ -0,0 +1,104 @@ +# Spring Boot application with Azure Active Directory + + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# Into the directory of client-access-multiple-resource-server +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `source run_all.sh`. + +```shell +source run_all.sh +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-security/servlet/oauth2/login/run_all.sh b/aad/spring-security/servlet/oauth2/login/run_all.sh new file mode 100644 index 000000000..0bd6a5174 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/login/run_all.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +kill -9 $(lsof -t -i tcp:8080) + +mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl \ +com.azure.spring:servlet-oauth2-login + +export terraform_path="../../../terraform" + +export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) + +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) + +echo "Running apps" +mkdir -p .target +echo "Running login---------" +sleep 5 +nohup java -jar target/*.jar > target/login.log 2>&1 & + + +echo "App login started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md new file mode 100644 index 000000000..4754631e9 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md @@ -0,0 +1,104 @@ +# Spring Boot application with Azure Active Directory + + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# Into the directory of client-access-multiple-resource-server +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `source run_all.sh`. + +```shell +source run_all.sh +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh index 78ba78505..ac7ff85fb 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh @@ -1,18 +1,31 @@ #!/usr/bin/env bash -export terraform_path="../../../terraform" +kill -9 $(lsof -t -i tcp:8080) +kill -9 $(lsof -t -i tcp:8081) + +mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl \ +com.azure.spring:servlet-oauth2-resource-server-check-permissions-by-claims-in-access-token-client-application,\ +com.azure.spring:servlet-oauth2-resource-server-check-permissions-by-claims-in-access-token-resource-server-application + +export terraform_path="./terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) - echo "Running apps" -mkdir -p target +mkdir -p .target +echo "Running client-----------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & +echo "Running resource-server-----------" nohup java -jar resource-server/target/*.jar > target/resource-server-1.log 2>&1 & sleep 10 -echo "All apps started, please check target folder for logs." -tail -f target/client.log -f target/resource-server.log +echo "All apps started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf new file mode 100644 index 000000000..7c0b098fd --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf @@ -0,0 +1,249 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.19.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +resource "random_string" "random" { + length = 5 + min_lower = 5 + special = false +} + +resource "random_uuid" "resource-server-1-scope-1" { +} + +resource "random_uuid" "resource-server-1-scope-2" { +} + +resource "random_uuid" "resource-server-2-scope-1" { +} + +resource "random_uuid" "resource-server-2-scope-2" { +} + +resource "random_uuid" "resource-server-1-role-1" { +} + +resource "random_uuid" "resource-server-1-role-2" { +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure client-1 +resource "azuread_application" "client-1" { + display_name = "client-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-2"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + +# Configure resource-server-2 +resource "azuread_application" "resource-server-2" { + display_name = "resource-server-2" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-1" + admin_consent_display_name = "resource-server-2.scope-1" + enabled = true + id = random_uuid.resource-server-2-scope-1.result + type = "User" + value = "resource-server-2.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-2" + admin_consent_display_name = "resource-server-2.scope-2" + enabled = true + id = random_uuid.resource-server-2-scope-2.result + type = "User" + value = "resource-server-2.scope-2" + } + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + + +# Configure resource-server-1 +resource "azuread_application" "resource-server-1" { + display_name = "resource-server-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-1" + admin_consent_display_name = "resource-server-1.scope-1" + enabled = true + id = random_uuid.resource-server-1-scope-1.result + type = "User" + value = "resource-server-1.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-2" + admin_consent_display_name = "resource-server-1.scope-2" + enabled = true + id = random_uuid.resource-server-1-scope-2.result + type = "User" + value = "resource-server-1.scope-2" + } + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-2" + display_name = "resource-server-1-role-2" + enabled = true + id = random_uuid.resource-server-1-role-2.result + value = "resource-server-1-role-2" + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-1" + display_name = "resource-server-1-role-1" + enabled = true + id = random_uuid.resource-server-1-role-1.result + value = "resource-server-1-role-1" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + + # need grant + resource_access { + id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + } +} + +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.resource-server-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id + claim_values = ["resource-server-2.scope-1"] +} + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-1" { + application_id = azuread_application.resource-server-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-2" { + application_id = azuread_application.resource-server-2.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +resource "azuread_application_password" "resource-server-1" { + application_object_id = azuread_application.resource-server-1.object_id +} + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Azure123456@" +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.resource-server-1.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf new file mode 100644 index 000000000..31573b191 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf @@ -0,0 +1,34 @@ +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + +output "RESOURCE_SERVER_1_CLIENT_ID" { + value = azuread_application.resource-server-1.application_id +} + +output "RESOURCE_SERVER_2_CLIENT_ID" { + value = azuread_application.resource-server-2.application_id +} + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + +output "RESOURCE_SERVER_1_CLIENT_SECRET" { + value = azuread_application_password.resource-server-1.value + sensitive = true +} + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..9510b7167 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh @@ -0,0 +1,11 @@ +RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) + +# set identifier_uris +echo "----------update identifier-uris for RESOURCE_SERVER_1----------" +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID + +echo "----------update identifier-uris for RESOURCE_SERVER_2----------" +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + +echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh new file mode 100644 index 000000000..926eb7c26 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh @@ -0,0 +1,19 @@ +export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD + diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md new file mode 100644 index 000000000..4754631e9 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md @@ -0,0 +1,104 @@ +# Spring Boot application with Azure Active Directory + + +## What You Need + +- [An Azure subscription](https://azure.microsoft.com/free/) +- [Terraform](https://www.terraform.io/) +- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) +- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later +- Maven +- You can also import the code straight into your IDE: + - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) + +## Provision Azure Resources Required to Run This Sample + +### Authenticate Using the Azure CLI +Terraform must authenticate to Azure to create infrastructure. + +In your terminal, use the Azure CLI tool to setup your account permissions locally. + +```shell +az login --tenant [your-tenant] --allow-no-subscriptions +``` + +Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. + +```shell +You have logged in. Now let us find all the subscriptions to which you have access... + +[ + { + "cloudName": "AzureCloud", + "homeTenantId": "home-Tenant-Id", + "id": "subscription-id", + "isDefault": true, + "managedByTenants": [], + "name": "Subscription-Name", + "state": "Enabled", + "tenantId": "0envbwi39-TenantId", + "user": { + "name": "your-username@domain.com", + "type": "user" + } + } +] +``` + +### Provision the Resources + +After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. + +#### Run with Bash + +```shell +# Into the directory of client-access-multiple-resource-server +# Initialize your Terraform configuration +terraform -chdir=./terraform init + +# Apply your Terraform Configuration +terraform -chdir=./terraform apply -auto-approve + +``` + +It may take a few minutes to run the script. After successful running, you will see prompt information like below: + +```shell +... +Apply complete! Resources: * added, * changed, * destroyed. + +``` + +You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. + +### Export Output to Your Local Environment +Running the command below to export environment values: + +#### Run with Bash + +```shell +source ./terraform/setup_env.sh +``` + +## Run Locally + +In your current terminal, run `source run_all.sh`. + +```shell +source run_all.sh +``` + +## Verify This Sample + + +## Clean Up Resources +After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. + +The terraform destroy command terminates resources managed by your Terraform project. +To destroy the resources you created. + +#### Run with Bash + +```shell +terraform -chdir=./terraform destroy -auto-approve +``` diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh index a38e9ea4a..1dfd50028 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh @@ -1,6 +1,15 @@ #!/usr/bin/env bash -export terraform_path="../../../terraform" +kill -9 $(lsof -t -i tcp:8080) +kill -9 $(lsof -t -i tcp:8081) +kill -9 $(lsof -t -i tcp:8082) + +mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl \ +com.azure.spring:servlet-oauth2-resource-server-support-on-behalf-of-flow-client-application,\ +com.azure.spring:servlet-oauth2-resource-server-support-on-behalf-of-flow-resource-server-1-application,\ +com.azure.spring:servlet-oauth2-resource-server-support-on-behalf-of-flow-resource-server-2-application + +export terraform_path="./terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) @@ -11,11 +20,19 @@ export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output echo "Running apps" -mkdir -p target +mkdir -p .target +echo "Running client-----------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & +echo "Running resource-server-1-----------" nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & +echo "Running resource-server-2-----------" nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & sleep 10 -echo "All apps started, please check target folder for logs." -tail -f target/client.log -f target/resource-server-1.log -f target/resource-server-2.log +echo "All apps started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf new file mode 100644 index 000000000..7c0b098fd --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf @@ -0,0 +1,249 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.19.0" + } + random = { + source = "hashicorp/random" + version = "3.1.0" + } + null = { + source = "hashicorp/null" + version = "3.1.0" + } + } +} + +resource "random_string" "random" { + length = 5 + min_lower = 5 + special = false +} + +resource "random_uuid" "resource-server-1-scope-1" { +} + +resource "random_uuid" "resource-server-1-scope-2" { +} + +resource "random_uuid" "resource-server-2-scope-1" { +} + +resource "random_uuid" "resource-server-2-scope-2" { +} + +resource "random_uuid" "resource-server-1-role-1" { +} + +resource "random_uuid" "resource-server-1-role-2" { +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure client-1 +resource "azuread_application" "client-1" { + display_name = "client-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-1", + "http://localhost:8080/login/oauth2/code/client-1-resource-server-2"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + +# Configure resource-server-2 +resource "azuread_application" "resource-server-2" { + display_name = "resource-server-2" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-1" + admin_consent_display_name = "resource-server-2.scope-1" + enabled = true + id = random_uuid.resource-server-2-scope-1.result + type = "User" + value = "resource-server-2.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-2.scope-2" + admin_consent_display_name = "resource-server-2.scope-2" + enabled = true + id = random_uuid.resource-server-2-scope-2.result + type = "User" + value = "resource-server-2.scope-2" + } + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + + +# Configure resource-server-1 +resource "azuread_application" "resource-server-1" { + display_name = "resource-server-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-1" + admin_consent_display_name = "resource-server-1.scope-1" + enabled = true + id = random_uuid.resource-server-1-scope-1.result + type = "User" + value = "resource-server-1.scope-1" + } + + oauth2_permission_scope { + admin_consent_description = "resource-server-1.scope-2" + admin_consent_display_name = "resource-server-1.scope-2" + enabled = true + id = random_uuid.resource-server-1-scope-2.result + type = "User" + value = "resource-server-1.scope-2" + } + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-2" + display_name = "resource-server-1-role-2" + enabled = true + id = random_uuid.resource-server-1-role-2.result + value = "resource-server-1-role-2" + } + + app_role { + allowed_member_types = ["User"] + description = "resource-server-1-role-1" + display_name = "resource-server-1-role-1" + enabled = true + id = random_uuid.resource-server-1-role-1.result + value = "resource-server-1-role-1" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + required_resource_access { + resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 + + # need grant + resource_access { + id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + } +} + +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.resource-server-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id + claim_values = ["resource-server-2.scope-1"] +} + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-1" { + application_id = azuread_application.resource-server-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + +resource "azuread_service_principal" "resource-server-2" { + application_id = azuread_application.resource-server-2.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +resource "azuread_application_password" "resource-server-1" { + application_object_id = azuread_application.resource-server-1.object_id +} + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Azure123456@" +} + +resource "null_resource" "set_env" { + triggers = { + application_id = azuread_service_principal.resource-server-1.application_id + } + + provisioner "local-exec" { + command = "/bin/bash set_identifier_uris.sh" + } +} diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf new file mode 100644 index 000000000..31573b191 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf @@ -0,0 +1,34 @@ +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + +output "RESOURCE_SERVER_1_CLIENT_ID" { + value = azuread_application.resource-server-1.application_id +} + +output "RESOURCE_SERVER_2_CLIENT_ID" { + value = azuread_application.resource-server-2.application_id +} + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + +output "RESOURCE_SERVER_1_CLIENT_SECRET" { + value = azuread_application_password.resource-server-1.value + sensitive = true +} + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/set_identifier_uris.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/set_identifier_uris.sh new file mode 100644 index 000000000..9510b7167 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/set_identifier_uris.sh @@ -0,0 +1,11 @@ +RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) + +# set identifier_uris +echo "----------update identifier-uris for RESOURCE_SERVER_1----------" +az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID + +echo "----------update identifier-uris for RESOURCE_SERVER_2----------" +az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID + +echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh new file mode 100644 index 000000000..926eb7c26 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh @@ -0,0 +1,19 @@ +export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) +export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) +export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) +export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID +echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD + From 545e93aaa49c6732aba66867bdf68347739652d3 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 22:23:19 +0800 Subject: [PATCH 18/38] update for login --- .../servlet/oauth2/login/README.md | 16 +++- .../servlet/oauth2/login/run_all.sh | 28 ------- .../servlet/oauth2/login/terraform/main.tf | 76 +++++++++++++++++++ .../servlet/oauth2/login/terraform/outputs.tf | 23 ++++++ .../oauth2/login/terraform/setup_env.sh | 13 ++++ 5 files changed, 125 insertions(+), 31 deletions(-) delete mode 100644 aad/spring-security/servlet/oauth2/login/run_all.sh create mode 100644 aad/spring-security/servlet/oauth2/login/terraform/main.tf create mode 100644 aad/spring-security/servlet/oauth2/login/terraform/outputs.tf create mode 100644 aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh diff --git a/aad/spring-security/servlet/oauth2/login/README.md b/aad/spring-security/servlet/oauth2/login/README.md index 4754631e9..1051444f6 100644 --- a/aad/spring-security/servlet/oauth2/login/README.md +++ b/aad/spring-security/servlet/oauth2/login/README.md @@ -80,14 +80,24 @@ Running the command below to export environment values: source ./terraform/setup_env.sh ``` +You will see output like below, save this output of `created user` to login. +```shell +TENANT_ID=... +CLIENT_1_CLIENT_ID=... +CLIENT_1_CLIENT_SECRET=... +--------created user-------- +USER_NAME=... +USER_PASSWORD=... + +``` + ## Run Locally -In your current terminal, run `source run_all.sh`. +In your current terminal, run `mvn clean spring-boot:run`. ```shell -source run_all.sh +mvn clean spring-boot:run ``` - ## Verify This Sample diff --git a/aad/spring-security/servlet/oauth2/login/run_all.sh b/aad/spring-security/servlet/oauth2/login/run_all.sh deleted file mode 100644 index 0bd6a5174..000000000 --- a/aad/spring-security/servlet/oauth2/login/run_all.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash - -kill -9 $(lsof -t -i tcp:8080) - -mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl \ -com.azure.spring:servlet-oauth2-login - -export terraform_path="../../../terraform" - -export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) -export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) -export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) - -export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) -export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) - -echo "Running apps" -mkdir -p .target -echo "Running login---------" -sleep 5 -nohup java -jar target/*.jar > target/login.log 2>&1 & - - -echo "App login started, please check target folder for logs." -echo "You can use the user info below to login." -echo "--------created user--------" -echo USER_NAME=$USER_NAME -echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/login/terraform/main.tf b/aad/spring-security/servlet/oauth2/login/terraform/main.tf new file mode 100644 index 000000000..92c6df525 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/login/terraform/main.tf @@ -0,0 +1,76 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.19.0" + } + } +} + +resource "random_string" "random" { + length = 5 + min_lower = 5 + special = false +} + +data "azuread_client_config" "current" {} + +# Configure the Azure Active Directory Provider +provider "azuread" { +} + +# Configure client-1 +resource "azuread_application" "client-1" { + display_name = "client-1" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } + + web { + redirect_uris = ["http://localhost:8080/login/oauth2/code/"] + + implicit_grant { + access_token_issuance_enabled = true + id_token_issuance_enabled = true + } + } +} + + +resource "azuread_service_principal" "client-1" { + application_id = azuread_application.client-1.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + + +resource "azuread_application_password" "client-1" { + application_object_id = azuread_application.client-1.object_id +} + + +# Retrieve domain information +data "azuread_domains" "example" { + only_initial = true +} + +# Create a user +resource "azuread_user" "user" { + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security" + password = "Azure123456@" +} diff --git a/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf new file mode 100644 index 000000000..edbed2964 --- /dev/null +++ b/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf @@ -0,0 +1,23 @@ +output "TENANT_ID" { + value = data.azuread_client_config.current.tenant_id +} + +output "CLIENT_1_CLIENT_ID" { + value = azuread_application.client-1.application_id +} + + +output "CLIENT_1_CLIENT_SECRET" { + value = azuread_application_password.client-1.value + sensitive = true +} + + +output "USER_NAME" { + value = azuread_user.user.user_principal_name +} + +output "USER_PASSWORD" { + value = azuread_user.user.password + sensitive = true +} diff --git a/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh new file mode 100644 index 000000000..5f222962d --- /dev/null +++ b/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh @@ -0,0 +1,13 @@ +export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) +export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) +export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + +echo TENANT_ID=$TENANT_ID +echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID +echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD + From 9e2022a3960d723f1e57d50c0019cf9055bbb1bb Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 22:38:55 +0800 Subject: [PATCH 19/38] update scripts: add random string for aad --- .../oauth2/spring-cloud-gateway/run_all.sh | 2 +- .../run_all.sh | 2 +- .../terraform/main.tf | 6 +- .../client-access-resource-server/run_all.sh | 2 +- .../terraform/main.tf | 73 +------------------ .../terraform/outputs.tf | 4 - .../terraform/set_identifier_uris.sh | 4 - .../servlet/oauth2/login/terraform/main.tf | 2 +- .../run_all.sh | 2 +- .../terraform/main.tf | 73 +------------------ .../terraform/outputs.tf | 4 - .../terraform/set_identifier_uris.sh | 3 - .../run_all.sh | 2 +- .../terraform/main.tf | 6 +- 14 files changed, 16 insertions(+), 169 deletions(-) diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh index a8fb01d13..9acda0d8f 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -11,7 +11,7 @@ export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output echo "Running apps" -mkdir -p .target +mkdir -p target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar gateway/target/*.jar > target/gateway.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh index 096b9d23a..6f33266b8 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -21,7 +21,7 @@ export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWO echo "--------Running apps--------" -mkdir -p .target +mkdir -p target nohup java -jar client/target/*.jar > target/client.log 2>&1 & nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf index 7c0b098fd..64a3ec2d7 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf @@ -47,7 +47,7 @@ provider "azuread" { # Configure client-1 resource "azuread_application" "client-1" { - display_name = "client-1" + display_name = "client-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -81,7 +81,7 @@ resource "azuread_application" "client-1" { # Configure resource-server-2 resource "azuread_application" "resource-server-2" { - display_name = "resource-server-2" + display_name = "resource-server-2-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -122,7 +122,7 @@ resource "azuread_application" "resource-server-2" { # Configure resource-server-1 resource "azuread_application" "resource-server-1" { - display_name = "resource-server-1" + display_name = "resource-server-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh index bf3afcf4a..9f0a63855 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh @@ -18,7 +18,7 @@ export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) echo "Running apps" -mkdir -p .target +mkdir -p target echo "Running app client---------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & echo "Running resource-server ---------" diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf index 7c0b098fd..aeec35560 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf @@ -27,12 +27,6 @@ resource "random_uuid" "resource-server-1-scope-1" { resource "random_uuid" "resource-server-1-scope-2" { } -resource "random_uuid" "resource-server-2-scope-1" { -} - -resource "random_uuid" "resource-server-2-scope-2" { -} - resource "random_uuid" "resource-server-1-role-1" { } @@ -47,7 +41,7 @@ provider "azuread" { # Configure client-1 resource "azuread_application" "client-1" { - display_name = "client-1" + display_name = "client-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -79,50 +73,10 @@ resource "azuread_application" "client-1" { } -# Configure resource-server-2 -resource "azuread_application" "resource-server-2" { - display_name = "resource-server-2" - - owners = [data.azuread_client_config.current.object_id] - # single tenant - sign_in_audience = "AzureADMyOrg" - - api { - requested_access_token_version = 2 - - oauth2_permission_scope { - admin_consent_description = "resource-server-2.scope-1" - admin_consent_display_name = "resource-server-2.scope-1" - enabled = true - id = random_uuid.resource-server-2-scope-1.result - type = "User" - value = "resource-server-2.scope-1" - } - - oauth2_permission_scope { - admin_consent_description = "resource-server-2.scope-2" - admin_consent_display_name = "resource-server-2.scope-2" - enabled = true - id = random_uuid.resource-server-2-scope-2.result - type = "User" - value = "resource-server-2.scope-2" - } - } - - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph - - resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - type = "Scope" - } - } -} - # Configure resource-server-1 resource "azuread_application" "resource-server-1" { - display_name = "resource-server-1" + display_name = "resource-server-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -177,27 +131,11 @@ resource "azuread_application" "resource-server-1" { } } - required_resource_access { - resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 - - # need grant - resource_access { - id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 - type = "Scope" - } - } - web { redirect_uris = ["http://localhost:8080/login/oauth2/code/"] } } -resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { - service_principal_object_id = azuread_service_principal.resource-server-1.object_id - resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id - claim_values = ["resource-server-2.scope-1"] -} - resource "azuread_service_principal" "client-1" { application_id = azuread_application.client-1.application_id app_role_assignment_required = false @@ -210,13 +148,6 @@ resource "azuread_service_principal" "resource-server-1" { owners = [data.azuread_client_config.current.object_id] } -resource "azuread_service_principal" "resource-server-2" { - application_id = azuread_application.resource-server-2.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] -} - - resource "azuread_application_password" "client-1" { application_object_id = azuread_application.client-1.object_id } diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf index 31573b191..0b39fc700 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf @@ -10,10 +10,6 @@ output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id } -output "RESOURCE_SERVER_2_CLIENT_ID" { - value = azuread_application.resource-server-2.application_id -} - output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh index 9510b7167..b316f5d50 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/set_identifier_uris.sh @@ -1,11 +1,7 @@ RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) # set identifier_uris echo "----------update identifier-uris for RESOURCE_SERVER_1----------" az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID -echo "----------update identifier-uris for RESOURCE_SERVER_2----------" -az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID - echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/servlet/oauth2/login/terraform/main.tf b/aad/spring-security/servlet/oauth2/login/terraform/main.tf index 92c6df525..1523fc071 100644 --- a/aad/spring-security/servlet/oauth2/login/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/login/terraform/main.tf @@ -21,7 +21,7 @@ provider "azuread" { # Configure client-1 resource "azuread_application" "client-1" { - display_name = "client-1" + display_name = "client-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh index ac7ff85fb..8800315d6 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh @@ -15,7 +15,7 @@ export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLI export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_ID) echo "Running apps" -mkdir -p .target +mkdir -p target echo "Running client-----------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & echo "Running resource-server-----------" diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf index 7c0b098fd..241bde605 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf @@ -27,12 +27,6 @@ resource "random_uuid" "resource-server-1-scope-1" { resource "random_uuid" "resource-server-1-scope-2" { } -resource "random_uuid" "resource-server-2-scope-1" { -} - -resource "random_uuid" "resource-server-2-scope-2" { -} - resource "random_uuid" "resource-server-1-role-1" { } @@ -47,7 +41,7 @@ provider "azuread" { # Configure client-1 resource "azuread_application" "client-1" { - display_name = "client-1" + display_name = "client-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -79,50 +73,9 @@ resource "azuread_application" "client-1" { } -# Configure resource-server-2 -resource "azuread_application" "resource-server-2" { - display_name = "resource-server-2" - - owners = [data.azuread_client_config.current.object_id] - # single tenant - sign_in_audience = "AzureADMyOrg" - - api { - requested_access_token_version = 2 - - oauth2_permission_scope { - admin_consent_description = "resource-server-2.scope-1" - admin_consent_display_name = "resource-server-2.scope-1" - enabled = true - id = random_uuid.resource-server-2-scope-1.result - type = "User" - value = "resource-server-2.scope-1" - } - - oauth2_permission_scope { - admin_consent_description = "resource-server-2.scope-2" - admin_consent_display_name = "resource-server-2.scope-2" - enabled = true - id = random_uuid.resource-server-2-scope-2.result - type = "User" - value = "resource-server-2.scope-2" - } - } - - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph - - resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - type = "Scope" - } - } -} - - # Configure resource-server-1 resource "azuread_application" "resource-server-1" { - display_name = "resource-server-1" + display_name = "resource-server-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -177,27 +130,11 @@ resource "azuread_application" "resource-server-1" { } } - required_resource_access { - resource_app_id = azuread_application.resource-server-2.application_id # Resource server 2 - - # need grant - resource_access { - id = random_uuid.resource-server-2-scope-1.result # resource-server-2.scope-1 - type = "Scope" - } - } - web { redirect_uris = ["http://localhost:8080/login/oauth2/code/"] } } -resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { - service_principal_object_id = azuread_service_principal.resource-server-1.object_id - resource_service_principal_object_id = azuread_service_principal.resource-server-2.object_id - claim_values = ["resource-server-2.scope-1"] -} - resource "azuread_service_principal" "client-1" { application_id = azuread_application.client-1.application_id app_role_assignment_required = false @@ -210,12 +147,6 @@ resource "azuread_service_principal" "resource-server-1" { owners = [data.azuread_client_config.current.object_id] } -resource "azuread_service_principal" "resource-server-2" { - application_id = azuread_application.resource-server-2.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] -} - resource "azuread_application_password" "client-1" { application_object_id = azuread_application.client-1.object_id diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf index 31573b191..0b39fc700 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf @@ -10,10 +10,6 @@ output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id } -output "RESOURCE_SERVER_2_CLIENT_ID" { - value = azuread_application.resource-server-2.application_id -} - output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh index 9510b7167..c066af972 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/set_identifier_uris.sh @@ -1,11 +1,8 @@ RESOURCE_SERVER_1_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -RESOURCE_SERVER_2_CLIENT_ID=$(terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) # set identifier_uris echo "----------update identifier-uris for RESOURCE_SERVER_1----------" az ad app update --id $RESOURCE_SERVER_1_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_1_CLIENT_ID -echo "----------update identifier-uris for RESOURCE_SERVER_2----------" -az ad app update --id $RESOURCE_SERVER_2_CLIENT_ID --identifier-uris api://$RESOURCE_SERVER_2_CLIENT_ID echo "----------update identifier-uris completed----------" diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh index 1dfd50028..5d3685978 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh @@ -20,7 +20,7 @@ export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output echo "Running apps" -mkdir -p .target +mkdir -p target echo "Running client-----------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & echo "Running resource-server-1-----------" diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf index 7c0b098fd..64a3ec2d7 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf @@ -47,7 +47,7 @@ provider "azuread" { # Configure client-1 resource "azuread_application" "client-1" { - display_name = "client-1" + display_name = "client-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -81,7 +81,7 @@ resource "azuread_application" "client-1" { # Configure resource-server-2 resource "azuread_application" "resource-server-2" { - display_name = "resource-server-2" + display_name = "resource-server-2-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -122,7 +122,7 @@ resource "azuread_application" "resource-server-2" { # Configure resource-server-1 resource "azuread_application" "resource-server-1" { - display_name = "resource-server-1" + display_name = "resource-server-1-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant From d45e12eaa73a6b7d301c7113d087807802cd9788 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 22:41:46 +0800 Subject: [PATCH 20/38] update scripts: add random string for azuread_application --- .../aad-resource-server-by-filter-stateless/terraform/main.tf | 2 +- .../aad-resource-server-by-filter/terraform/main.tf | 2 +- .../aad-web-application-and-resource-server/terraform/main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 55ac04afe..e82b81e90 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -35,7 +35,7 @@ provider "azuread" { # Configure an app resource "azuread_application" "aadresourceserverbyfilterstateless" { - display_name = "aad-resource-server-by-filter-stateless" + display_name = "aad-resource-server-by-filter-stateless-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] sign_in_audience = "AzureADMultipleOrgs" diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index e63448ee6..33c043d72 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -25,7 +25,7 @@ provider "azuread" { # Configure an app resource "azuread_application" "aadresourceserverbyfilter" { - display_name = "aad-resource-server-by-filter" + display_name = "aad-resource-server-by-filter-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] sign_in_audience = "AzureADMultipleOrgs" diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf index 18dd293e9..056087abe 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -25,7 +25,7 @@ provider "azuread" { # Configure webapp_resourceserver resource "azuread_application" "webapp_resourceserver" { - display_name = "webapp_resourceserver" + display_name = "webapp_resourceserver-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant From 24899401c9caddd369b8545aab64230482564746 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 22:56:21 +0800 Subject: [PATCH 21/38] unify the username prefix --- .../aad-resource-server-by-filter-stateless/terraform/main.tf | 4 ++-- .../aad-resource-server-by-filter/terraform/main.tf | 4 ++-- .../aad-web-application-and-resource-server/terraform/main.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index e82b81e90..2aafbf01f 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -102,8 +102,8 @@ data "azuread_domains" "current" { # Create a user resource "azuread_user" "user" { - user_principal_name = "aadresourcestateless-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}" - display_name = "aadresourcestateless-${random_string.random.result}" + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}" + display_name = "security-${random_string.random.result}" password = "Azure123456@" } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index 33c043d72..2d524a179 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -87,8 +87,8 @@ data "azuread_domains" "current" { # Create a user resource "azuread_user" "user" { - user_principal_name = "aadresourceserverbyfilter-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}" - display_name = "aadresourceserverbyfilter-${random_string.random.result}" + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.current.domains.0.domain_name}" + display_name = "security-${random_string.random.result}" password = "Azure123456@" } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf index 056087abe..a9ffb9e86 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -110,7 +110,7 @@ data "azuread_domains" "example" { # Create a user resource "azuread_user" "user" { - user_principal_name = "webapp_resourceserver-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "webapp_resourceserver-${random_string.random.result}" + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security-${random_string.random.result}" password = "Azure123456@" } From e0bb59fd653c26f4b5d0da969fb968e8149591cd Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:12:23 +0800 Subject: [PATCH 22/38] format scripts --- .../terraform/README.md | 8 ++++++++ .../terraform/main.tf | 16 ++++++++-------- .../terraform/outputs.tf | 2 +- .../terraform/set_identifier_uris.sh | 5 ++--- .../terraform/setup_env.sh | 3 ++- .../terraform/README.md | 9 +++++++++ .../terraform/setup_env.sh | 3 ++- .../terraform/README.md | 9 +++++++++ .../terraform/setup_env.sh | 2 +- .../terraform/README.md | 9 +++++++++ .../terraform/setup_env.sh | 2 +- .../spring-cloud-gateway/terraform/setup_env.sh | 1 + .../terraform/setup_env.sh | 1 + .../servlet/oauth2/login/terraform/setup_env.sh | 1 + .../terraform/setup_env.sh | 1 + .../terraform/setup_env.sh | 1 + 16 files changed, 57 insertions(+), 16 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md index 652635460..6c1675672 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md @@ -77,6 +77,14 @@ Running the command below to export environment values: ```shell source ./terraform/setup_env.sh +``` +You will see output like below, save this output of `created user` to login. +```shell +... +--------created user-------- +USER_NAME=... +USER_PASSWORD=... + ``` ## Run Locally diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 2aafbf01f..7d563aca9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -34,7 +34,7 @@ provider "azuread" { } # Configure an app -resource "azuread_application" "aadresourceserverbyfilterstateless" { +resource "azuread_application" "resourceserver" { display_name = "aad-resource-server-by-filter-stateless-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] @@ -75,10 +75,10 @@ resource "azuread_application" "aadresourceserverbyfilterstateless" { app_role { allowed_member_types = ["User"] description = "Normal user access" - display_name = "User" + display_name = "Normal user access" enabled = true id = random_uuid.role-User.result - value = "User" + value = "NormalUserAccess" } web { @@ -89,8 +89,8 @@ resource "azuread_application" "aadresourceserverbyfilterstateless" { } } -resource "azuread_service_principal" "aadresourceserverbyfilterstateless" { - application_id = azuread_application.aadresourceserverbyfilterstateless.application_id +resource "azuread_service_principal" "resourceserver" { + application_id = azuread_application.resourceserver.application_id app_role_assignment_required = false owners = [data.azuread_client_config.current.object_id] } @@ -110,18 +110,18 @@ resource "azuread_user" "user" { resource "azuread_app_role_assignment" "admin" { app_role_id = random_uuid.role-Admin.result principal_object_id = azuread_user.user.object_id - resource_object_id = azuread_service_principal.aadresourceserverbyfilterstateless.object_id + resource_object_id = azuread_service_principal.resourceserver.object_id } resource "azuread_app_role_assignment" "user" { app_role_id = random_uuid.role-User.result principal_object_id = azuread_user.user.object_id - resource_object_id = azuread_service_principal.aadresourceserverbyfilterstateless.object_id + resource_object_id = azuread_service_principal.resourceserver.object_id } resource "null_resource" "set_env" { triggers = { - application_id = azuread_service_principal.aadresourceserverbyfilterstateless.application_id + application_id = azuread_service_principal.resourceserver.application_id } provisioner "local-exec" { diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf index 55b992d57..7b4841b73 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf @@ -4,7 +4,7 @@ output "AZURE_TENANT_ID" { } output "AZURE_CLIENT_ID" { - value = azuread_application.aadresourceserverbyfilterstateless.application_id + value = azuread_application.resourceserver.application_id description = "The application id." } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh index 390f8d5b6..3759b610e 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/set_identifier_uris.sh @@ -1,7 +1,6 @@ AZURE_CLIENT_ID=$(terraform output -raw AZURE_CLIENT_ID) # set identifier_uris +echo "----------update identifier-uris start----------" az ad app update --id $AZURE_CLIENT_ID --identifier-uris api://$AZURE_CLIENT_ID - - - +echo "----------update identifier-uris completed----------" diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh index 34a42416b..331daba8d 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/setup_env.sh @@ -5,6 +5,7 @@ export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) echo AZURE_CLIENT_ID=${AZURE_CLIENT_ID} echo AZURE_TENANT_ID=${AZURE_TENANT_ID} -echo "------------Created new user------------" + +echo "--------created user--------" echo USER_NAME=${USER_NAME} echo USER_PASSWORD=${USER_PASSWORD} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md index 32f40e06c..f69ae7329 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md @@ -81,6 +81,15 @@ Running the command below to export environment values: source ./terraform/setup_env.sh ``` +You will see output like below, save this output of `created user` to login. +```shell +... +--------created user-------- +USER_NAME=... +USER_PASSWORD=... + +``` + ## Run Locally In your current terminal, run `mvn clean spring-boot:run`. diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh index beceaae8f..5585b4410 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/setup_env.sh @@ -7,6 +7,7 @@ export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) echo AZURE_CLIENT_ID=${AZURE_CLIENT_ID} echo AZURE_TENANT_ID=${AZURE_TENANT_ID} echo AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} -echo "------------Created new user------------" + +echo "--------created user--------" echo USER_NAME=${USER_NAME} echo USER_PASSWORD=${USER_PASSWORD} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md index 88a451ce4..4b3be6ed6 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md @@ -81,6 +81,15 @@ Running the command below to export environment values: source ./terraform/setup_env.sh ``` +You will see output like below, save this output of `created user` to login. +```shell +... +--------created user-------- +USER_NAME=... +USER_PASSWORD=... + +``` + ## Run Locally In your current terminal, run `mvn clean spring-boot:run`. diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh index f13b9f9c4..d1a25e8a9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh @@ -9,7 +9,7 @@ echo AZURE_TENANT_ID=$AZURE_TENANT_ID echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID echo AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET echo WEB_API_C_APP_ID_URL=$WEB_API_C_APP_ID_URL -echo "--------created user--------" +echo "--------created user--------" echo USER_PRINCIPAL_NAME=$USER_PRINCIPAL_NAME echo USER_PASSWORD=$USER_PASSWORD \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md index f22077ff4..84373916a 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md @@ -81,6 +81,15 @@ Running the command below to export environment values: source ./terraform/setup_env.sh ``` +You will see output like below, save this output of `created user` to login. +```shell +... +--------created user-------- +USER_NAME=... +USER_PASSWORD=... + +``` + ## Run Locally In your current terminal, run `mvn clean spring-boot:run`. diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh index b8af182a1..0ce3e1349 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh @@ -48,6 +48,6 @@ echo WEB_API_C_APP_ID_URL=$WEB_API_C_APP_ID_URL # user echo "====================================" -echo "================User================" +echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/setup_env.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/setup_env.sh index 926eb7c26..c91569d95 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/setup_env.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/setup_env.sh @@ -13,6 +13,7 @@ echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET + echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh index 926eb7c26..c91569d95 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/setup_env.sh @@ -13,6 +13,7 @@ echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET + echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh index 5f222962d..4b930b047 100644 --- a/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh +++ b/aad/spring-security/servlet/oauth2/login/terraform/setup_env.sh @@ -7,6 +7,7 @@ export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) echo TENANT_ID=$TENANT_ID echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET + echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh index 926eb7c26..c91569d95 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh @@ -13,6 +13,7 @@ echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET + echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh index 926eb7c26..c91569d95 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/setup_env.sh @@ -13,6 +13,7 @@ echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET + echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD From 7fe3684a4a52a46af927928d5c81be67bcdad333 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:15:14 +0800 Subject: [PATCH 23/38] format markdown --- .../aad-resource-server-by-filter/terraform/README.md | 2 -- .../aad-web-application-and-resource-server/terraform/README.md | 2 -- .../web-client-access-resource-server/terraform/README.md | 2 -- .../reactive/webflux/oauth2/spring-cloud-gateway/README.md | 1 - .../oauth2/client-access-multiple-resource-server/README.md | 1 - .../servlet/oauth2/client-access-resource-server/README.md | 1 - aad/spring-security/servlet/oauth2/login/README.md | 1 - .../README.md | 1 - .../oauth2/resource-server-support-on-behalf-of-flow/README.md | 1 - 9 files changed, 12 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md index f69ae7329..a912d7139 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md @@ -1,7 +1,5 @@ # Spring Boot application with Azure Active Directory -This guide demonstrates how to provision Azure Resources with terraform. - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md index 4b3be6ed6..8efa6d621 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md @@ -1,7 +1,5 @@ # Spring Boot application with Azure Active Directory -This guide demonstrates how to provision Azure Resources with terraform. - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md index 84373916a..23b2a6705 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md @@ -1,7 +1,5 @@ # Spring Boot application with Azure Active Directory -This guide demonstrates how to provision Azure Resources with terraform. - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md index 4754631e9..15a77124a 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md index 4754631e9..15a77124a 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md b/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md index 4754631e9..15a77124a 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-security/servlet/oauth2/login/README.md b/aad/spring-security/servlet/oauth2/login/README.md index 1051444f6..604d24ce3 100644 --- a/aad/spring-security/servlet/oauth2/login/README.md +++ b/aad/spring-security/servlet/oauth2/login/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md index 4754631e9..15a77124a 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md index 4754631e9..15a77124a 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md @@ -1,6 +1,5 @@ # Spring Boot application with Azure Active Directory - ## What You Need - [An Azure subscription](https://azure.microsoft.com/free/) From a94d755393bf61cd64fec60678f0c985382bb478 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:16:55 +0800 Subject: [PATCH 24/38] format terraform --- .../terraform/main.tf | 6 +++--- .../terraform/outputs.tf | 10 +++++----- .../terraform/main.tf | 8 ++++---- .../terraform/outputs.tf | 14 +++++++------- .../terraform/main.tf | 8 ++++---- .../terraform/outputs.tf | 12 ++++++------ .../oauth2/spring-cloud-gateway/terraform/main.tf | 6 +++--- .../terraform/main.tf | 6 +++--- .../terraform/main.tf | 6 +++--- .../servlet/oauth2/login/terraform/main.tf | 6 +++--- .../terraform/main.tf | 6 +++--- .../terraform/main.tf | 6 +++--- 12 files changed, 47 insertions(+), 47 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 7d563aca9..51e88efe5 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -16,9 +16,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf index 7b4841b73..e6a97ea29 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/outputs.tf @@ -1,20 +1,20 @@ output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id + value = data.azuread_client_config.current.tenant_id description = "The Azure tenant id." } output "AZURE_CLIENT_ID" { - value = azuread_application.resourceserver.application_id + value = azuread_application.resourceserver.application_id description = "The application id." } output "USER_NAME" { - value = azuread_user.user.user_principal_name + value = azuread_user.user.user_principal_name description = "The user name of the user created by terraform." } output "USER_PASSWORD" { - value = azuread_user.user.password - sensitive = true + value = azuread_user.user.password + sensitive = true description = "The password of the user created by terraform." } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index 2d524a179..c9806f665 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -12,9 +12,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } data "azuread_client_config" "current" {} @@ -77,7 +77,7 @@ resource "azuread_service_principal" "msgraph" { resource "azuread_service_principal_delegated_permission_grant" "graph" { service_principal_object_id = azuread_service_principal.aadresourceserverbyfilter.object_id resource_service_principal_object_id = azuread_service_principal.msgraph.object_id - claim_values = ["Directory.Read.All","User.Read.All"] + claim_values = ["Directory.Read.All", "User.Read.All"] } # Retrieve domain information diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf index a2abe29fc..4ad7c47c5 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/outputs.tf @@ -1,26 +1,26 @@ output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id + value = data.azuread_client_config.current.tenant_id description = "The Azure tenant id." } output "AZURE_CLIENT_ID" { - value = azuread_application.aadresourceserverbyfilter.application_id + value = azuread_application.aadresourceserverbyfilter.application_id description = "The application id." } output "AZURE_CLIENT_SECRET" { - value = azuread_application_password.aadresourceserverbyfilter.value - sensitive = true + value = azuread_application_password.aadresourceserverbyfilter.value + sensitive = true description = "A secret string the application uses to prove its identity." } output "USER_NAME" { - value = azuread_user.user.user_principal_name + value = azuread_user.user.user_principal_name description = "The user name of the user created by terraform." } output "USER_PASSWORD" { - value = azuread_user.user.password - sensitive = true + value = azuread_user.user.password + sensitive = true description = "The password of the user created by terraform." } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf index a9ffb9e86..07e66bbb9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf @@ -12,9 +12,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } data "azuread_client_config" "current" {} @@ -94,7 +94,7 @@ resource "azuread_service_principal" "management" { resource "azuread_service_principal_delegated_permission_grant" "graph" { service_principal_object_id = azuread_service_principal.webapp_resourceserver.object_id resource_service_principal_object_id = azuread_service_principal.msgraph.object_id - claim_values = ["Directory.Read.All","User.Read"] + claim_values = ["Directory.Read.All", "User.Read"] } resource "azuread_service_principal_delegated_permission_grant" "management" { diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf index 925977ece..a8c882aa0 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf @@ -1,25 +1,25 @@ output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id + value = data.azuread_client_config.current.tenant_id description = "The Azure tenant id." } output "AZURE_CLIENT_ID" { - value = azuread_application.webapp_resourceserver.application_id + value = azuread_application.webapp_resourceserver.application_id description = "The application id." } output "AZURE_CLIENT_SECRET" { - value = azuread_application_password.webapp_resourceserver.value + value = azuread_application_password.webapp_resourceserver.value sensitive = true } output "USER_PASSWORD" { - value = azuread_user.user.password - sensitive = true + value = azuread_user.user.password + sensitive = true description = "The password of the user created by terraform." } output "USER_PRINCIPAL_NAME" { - value = azuread_user.user.user_principal_name + value = azuread_user.user.user_principal_name description = "The user name of the user created by terraform." } diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf index 7c0b098fd..ef1444f83 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf @@ -16,9 +16,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } resource "random_uuid" "resource-server-1-scope-1" { diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf index 64a3ec2d7..303051316 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf @@ -16,9 +16,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } resource "random_uuid" "resource-server-1-scope-1" { diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf index aeec35560..9a9267328 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf @@ -16,9 +16,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } resource "random_uuid" "resource-server-1-scope-1" { diff --git a/aad/spring-security/servlet/oauth2/login/terraform/main.tf b/aad/spring-security/servlet/oauth2/login/terraform/main.tf index 1523fc071..accb58345 100644 --- a/aad/spring-security/servlet/oauth2/login/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/login/terraform/main.tf @@ -8,9 +8,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } data "azuread_client_config" "current" {} diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf index 241bde605..3b1e7b66b 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf @@ -16,9 +16,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } resource "random_uuid" "resource-server-1-scope-1" { diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf index 64a3ec2d7..303051316 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf @@ -16,9 +16,9 @@ terraform { } resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false + length = 5 + min_lower = 5 + special = false } resource "random_uuid" "resource-server-1-scope-1" { From ba8f3dd2151f856601a8cdf81a856ef1a045da36 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:18:17 +0800 Subject: [PATCH 25/38] unify user_principal_name --- .../web-client-access-resource-server/terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf index abcb6a800..f8b4304d9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf @@ -307,8 +307,8 @@ data "azuread_domains" "example" { # Create a user resource "azuread_user" "user" { - user_principal_name = "webapp-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "webapp-${random_string.random.result}" + user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" + display_name = "security-${random_string.random.result}" password = "Azure123456@" } From aa9c347bd57250be2e2522adb8055f4e738a6d29 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:24:51 +0800 Subject: [PATCH 26/38] add description for terraform --- .../terraform/outputs.tf | 1 + .../terraform/outputs.tf | 18 +++++++++++------- .../spring-cloud-gateway/terraform/outputs.tf | 8 ++++++++ .../terraform/outputs.tf | 8 ++++++++ .../terraform/outputs.tf | 7 +++++++ .../servlet/oauth2/login/terraform/outputs.tf | 7 +++++-- .../terraform/outputs.tf | 7 +++++++ .../terraform/outputs.tf | 8 ++++++++ 8 files changed, 55 insertions(+), 9 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf index a8c882aa0..c2db4eacb 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf @@ -11,6 +11,7 @@ output "AZURE_CLIENT_ID" { output "AZURE_CLIENT_SECRET" { value = azuread_application_password.webapp_resourceserver.value sensitive = true + description = "A secret string the application uses to prove its identity." } output "USER_PASSWORD" { diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf index 57f2b0f22..2149e144a 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/outputs.tf @@ -1,12 +1,12 @@ output "AZURE_TENANT_ID" { value = data.azuread_client_config.current.tenant_id - description = "The application id." + description = "The tenant id." } # ------WEB_APP------ output "AZURE_CLIENT_ID" { value = azuread_application.webapp.application_id - description = "The application id." + description = "The application id of web app." } output "AZURE_CLIENT_SECRET" { @@ -18,31 +18,35 @@ output "AZURE_CLIENT_SECRET" { # ------WebApiA------ output "WEB_API_A_CLIENT_ID" { value = azuread_application.webApiA.application_id + description = "The application id of WebApiA." } output "WEB_API_A_CLIENT_SECRET" { value = azuread_application_password.webApiA.value sensitive = true + description = "The client secret of WebApiA." } # ------WebApiB------ output "WEB_API_B_CLIENT_ID" { value = azuread_application.webApiB.application_id + description = "The application id of WebApiB." } # ------WebApiC------ output "WEB_API_C_CLIENT_ID" { value = azuread_application.webApiC.application_id + description = "The application id of WebApiC." } # ------User------ +output "USER_NAME" { + value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." +} + output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true description = "The password of the user created by terraform." } - -output "USER_NAME" { - value = azuread_user.user.user_principal_name - description = "The user name of the user created by terraform." -} \ No newline at end of file diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/outputs.tf b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/outputs.tf index 31573b191..b985e3d70 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/outputs.tf +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/outputs.tf @@ -1,34 +1,42 @@ output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The tenant id." } output "CLIENT_1_CLIENT_ID" { value = azuread_application.client-1.application_id + description = "The application id of web app." } output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id + description = "The application id of resource server 1." } output "RESOURCE_SERVER_2_CLIENT_ID" { value = azuread_application.resource-server-2.application_id + description = "The application id of resource server 2." } output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true + description = "The client secret of web app." } output "RESOURCE_SERVER_1_CLIENT_SECRET" { value = azuread_application_password.resource-server-1.value sensitive = true + description = "The client secret of resource server 1." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf index 31573b191..b985e3d70 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/outputs.tf @@ -1,34 +1,42 @@ output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The tenant id." } output "CLIENT_1_CLIENT_ID" { value = azuread_application.client-1.application_id + description = "The application id of web app." } output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id + description = "The application id of resource server 1." } output "RESOURCE_SERVER_2_CLIENT_ID" { value = azuread_application.resource-server-2.application_id + description = "The application id of resource server 2." } output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true + description = "The client secret of web app." } output "RESOURCE_SERVER_1_CLIENT_SECRET" { value = azuread_application_password.resource-server-1.value sensitive = true + description = "The client secret of resource server 1." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf index 0b39fc700..64a2a45b7 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/outputs.tf @@ -1,30 +1,37 @@ output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The tenant id." } output "CLIENT_1_CLIENT_ID" { value = azuread_application.client-1.application_id + description = "The application id of web app." } output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id + description = "The application id of resource server 1." } output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true + description = "The client secret of web app." } output "RESOURCE_SERVER_1_CLIENT_SECRET" { value = azuread_application_password.resource-server-1.value sensitive = true + description = "The client secret of resource server 1." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } diff --git a/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf index edbed2964..85ae482fc 100644 --- a/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/login/terraform/outputs.tf @@ -1,23 +1,26 @@ output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The tenant id." } output "CLIENT_1_CLIENT_ID" { value = azuread_application.client-1.application_id + description = "The application id of web app." } - output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true + description = "The client secret of web app." } - output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf index 0b39fc700..64a2a45b7 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/outputs.tf @@ -1,30 +1,37 @@ output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The tenant id." } output "CLIENT_1_CLIENT_ID" { value = azuread_application.client-1.application_id + description = "The application id of web app." } output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id + description = "The application id of resource server 1." } output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true + description = "The client secret of web app." } output "RESOURCE_SERVER_1_CLIENT_SECRET" { value = azuread_application_password.resource-server-1.value sensitive = true + description = "The client secret of resource server 1." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf index 31573b191..b985e3d70 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/outputs.tf @@ -1,34 +1,42 @@ output "TENANT_ID" { value = data.azuread_client_config.current.tenant_id + description = "The tenant id." } output "CLIENT_1_CLIENT_ID" { value = azuread_application.client-1.application_id + description = "The application id of web app." } output "RESOURCE_SERVER_1_CLIENT_ID" { value = azuread_application.resource-server-1.application_id + description = "The application id of resource server 1." } output "RESOURCE_SERVER_2_CLIENT_ID" { value = azuread_application.resource-server-2.application_id + description = "The application id of resource server 2." } output "CLIENT_1_CLIENT_SECRET" { value = azuread_application_password.client-1.value sensitive = true + description = "The client secret of web app." } output "RESOURCE_SERVER_1_CLIENT_SECRET" { value = azuread_application_password.resource-server-1.value sensitive = true + description = "The client secret of resource server 1." } output "USER_NAME" { value = azuread_user.user.user_principal_name + description = "The user name of the user created by terraform." } output "USER_PASSWORD" { value = azuread_user.user.password sensitive = true + description = "The password of the user created by terraform." } From 551f40aabeec7f16d261eae3aa84e36e893b3673 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:28:01 +0800 Subject: [PATCH 27/38] update readme.md --- .../terraform/README.md | 2 +- .../terraform/README.md | 2 +- .../terraform/README.md | 2 +- .../README.md | 4 +- .../terraform/README.md | 112 ------------------ 5 files changed, 4 insertions(+), 118 deletions(-) delete mode 100644 aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md index 6c1675672..5142c6288 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# In the specific sample's directory, where contains pom.xml. +# In the root directory of aad-resource-server-by-filter-stateless # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md index a912d7139..67fc89344 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# In the specific sample's directory, where contains pom.xml. +# In the root directory of aad-resource-server-by-filter # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md index 8efa6d621..fc70d8166 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# In the root directory of the sample +# In the root directory of aad-web-application-and-resource-server # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md index 15a77124a..6a558bf20 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# Into the directory of client-access-multiple-resource-server +# Into the directory of web-client-access-resource-server # Initialize your Terraform configuration terraform -chdir=./terraform init @@ -87,8 +87,6 @@ In your current terminal, run `source run_all.sh`. source run_all.sh ``` -## Verify This Sample - ## Clean Up Resources After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md deleted file mode 100644 index 23b2a6705..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# Spring Boot application with Azure Active Directory - -## What You Need - -- [An Azure subscription](https://azure.microsoft.com/free/) -- [Terraform](https://www.terraform.io/) -- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) -- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later -- Maven -- You can also import the code straight into your IDE: - - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) - -## Provision Azure Resources Required to Run This Sample - -### Authenticate Using the Azure CLI -Terraform must authenticate to Azure to create infrastructure. - -In your terminal, use the Azure CLI tool to setup your account permissions locally. - -```shell -az login --tenant [your-tenant] --allow-no-subscriptions -``` - -Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. - -```shell -You have logged in. Now let us find all the subscriptions to which you have access... - -[ - { - "cloudName": "AzureCloud", - "homeTenantId": "home-Tenant-Id", - "id": "subscription-id", - "isDefault": true, - "managedByTenants": [], - "name": "Subscription-Name", - "state": "Enabled", - "tenantId": "0envbwi39-TenantId", - "user": { - "name": "your-username@domain.com", - "type": "user" - } - } -] -``` - -### Provision the Resources - -After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. - -#### Run with Bash - -```shell -# In the specific sample's directory, where contains pom.xml. -# Initialize your Terraform configuration -terraform -chdir=./terraform init - -# Apply your Terraform Configuration -terraform -chdir=./terraform apply -auto-approve - -``` - -It may take a few minutes to run the script. After successful running, you will see prompt information like below: - -```shell -... -Apply complete! Resources: * added, * changed, * destroyed. - -``` - -You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. - -### Export Output to Your Local Environment -Running the command below to export environment values: - -#### Run with Bash - -```shell -source ./terraform/setup_env.sh -``` - -You will see output like below, save this output of `created user` to login. -```shell -... ---------created user-------- -USER_NAME=... -USER_PASSWORD=... - -``` - -## Run Locally - -In your current terminal, run `mvn clean spring-boot:run`. - -```shell -mvn clean spring-boot:run -``` - -## Verify This Sample - - -## Clean Up Resources -After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. - -The terraform destroy command terminates resources managed by your Terraform project. -To destroy the resources you created. - -#### Run with Bash - -```shell -terraform -chdir=./terraform destroy -auto-approve -``` From 3bd0d95f50aa5e703041387b62e58fcad425ee69 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Thu, 17 Mar 2022 23:59:09 +0800 Subject: [PATCH 28/38] update run_all.sh and README.md --- .../run_all.sh | 44 ++++++++++++++++--- .../terraform/setup_env.sh | 2 +- .../oauth2/spring-cloud-gateway/README.md | 2 +- .../oauth2/spring-cloud-gateway/run_all.sh | 34 ++++++++++++-- .../run_all.sh | 2 + .../client-access-resource-server/run_all.sh | 2 + .../run_all.sh | 2 + .../run_all.sh | 1 + 8 files changed, 78 insertions(+), 11 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh index d59b3cfa7..adfd9a3e5 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh @@ -1,11 +1,45 @@ #!/usr/bin/env bash -mvn clean package spring-boot:repackage -DskipTests - -# aad-resource-server 8082 -# aad-resource-server 8081 -# aad-web-application 8080 kill -9 $(lsof -t -i tcp:8080) kill -9 $(lsof -t -i tcp:8081) kill -9 $(lsof -t -i tcp:8082) +mvn clean package spring-boot:repackage -DskipTests -f ../../../pom.xml -pl \ +com.azure.spring:spring-cloud-azure-starter-active-directory-resource-server,\ +com.azure.spring:spring-cloud-azure-starter-active-directory-resource-server-obo,\ +com.azure.spring:spring-cloud-azure-starter-active-directory-webapp + +export terraform_path="./terraform" +export AZURE_TENANT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_CLIENT_ID) +export AZURE_CLIENT_SECRET=$(terraform -chdir=$terraformpath output -raw AZURE_CLIENT_SECRET) +export WEB_API_A_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_A_CLIENT_ID) +export WEB_API_A_CLIENT_SECRET=$(terraform -chdir=$terraformpath output -raw WEB_API_A_CLIENT_SECRET) +export WEB_API_A_APP_ID_URL=api://$WEB_API_A_CLIENT_ID +export WEB_API_B_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_B_CLIENT_ID) +export WEB_API_B_APP_ID_URL=api://$WEB_API_B_CLIENT_ID +export WEB_API_C_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_C_CLIENT_ID) +export WEB_API_C_APP_ID_URL=api://$WEB_API_C_CLIENT_ID + + +echo "Running apps" +mkdir -p target +echo "Running aad-resource-server-----------" +nohup java -jar aad-resource-server/target/*.jar > target/aad-resource-server.log 2>&1 & +sleep 3 +echo "Running aad-resource-server-obo-----------" +nohup java -jar aad-resource-server-obo/target/*.jar > target/aad-resource-server-obo.log 2>&1 & +sleep 3 +echo "Running aad-web-application-----------" +nohup java -jar aad-web-application/target/*.jar > target/aad-web-application.log 2>&1 & +sleep 3 +echo "All apps started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +# user +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD +echo "Now you should be able to open browser to access http://localhost:8080 with user above." +echo "If you encounter some errors, please refer to target folder for app logs ." diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh index 0ce3e1349..b1043dda0 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/setup_env.sh @@ -1,4 +1,4 @@ -terraformpath=`pwd` +terraformpath=./terraform export AZURE_TENANT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_TENANT_ID) # WEB_APP diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md index 15a77124a..15d498031 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# Into the directory of client-access-multiple-resource-server +# Into the directory of spring-cloud-gateway # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh index 9acda0d8f..e5e9f483b 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/run_all.sh @@ -1,6 +1,17 @@ #!/usr/bin/env bash -export terraform_path="../../../../terraform" +kill -9 $(lsof -t -i tcp:8080) +kill -9 $(lsof -t -i tcp:8081) +kill -9 $(lsof -t -i tcp:8082) +kill -9 $(lsof -t -i tcp:8083) + +mvn clean package spring-boot:repackage -DskipTests -f ../../../../pom.xml -pl \ +com.azure.spring:spring-security-sample-reactive-webflux-oauth2-spring-cloud-gateway-client-application,\ +com.azure.spring:spring-security-sample-reactive-webflux-oauth2-spring-cloud-gateway-gateway-application,\ +com.azure.spring:spring-security-sample-reactive-webflux-oauth2-spring-cloud-gateway-resource-server-1-application,\ +com.azure.spring:spring-security-sample-reactive-webflux-oauth2-spring-cloud-gateway-resource-server-2-application + +export terraform_path="./terraform" export TENANT_ID=$(terraform -chdir=$terraform_path output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_ID) @@ -8,14 +19,29 @@ export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=$terraform_path output -ra export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_2_CLIENT_ID) export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=$terraform_path output -raw RESOURCE_SERVER_1_CLIENT_SECRET) +export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) -echo "Running apps" +echo "--------Running apps--------" mkdir -p target +sleep 3 +echo "--------Running client--------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & +sleep 3 +echo "--------Running gateway--------" nohup java -jar gateway/target/*.jar > target/gateway.log 2>&1 & +sleep 3 +echo "--------Running resource-server-1--------" nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & +sleep 3 +echo "--------Running resource-server-2--------" nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & -echo "All apps started, please check target folder for logs." -tail -f target/client.log -f target/gateway.log -f target/resource-server-1.log -f target/resource-server-2.log +echo "All apps started, please check target folder for logs." +echo "You can use the user info below to login." +echo "--------created user--------" +echo USER_NAME=$USER_NAME +echo USER_PASSWORD=$USER_PASSWORD +echo "Now you should be able to open browser to access http://localhost:8080 with user above." +echo "If you encounter some errors, please refer to target folder for app logs ." \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh index 6f33266b8..bc27ec9de 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -31,3 +31,5 @@ echo "You can use the user info below to login." echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD +echo "Now you should be able to open browser to access http://localhost:8080 with user above." +echo "If you encounter some errors, please refer to target folder for app logs ." \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh index 9f0a63855..0bb71fa61 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh @@ -30,3 +30,5 @@ echo "You can use the user info below to login." echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD +echo "Now you should be able to open browser to access http://localhost:8080 with user above." +echo "If you encounter some errors, please refer to target folder for app logs ." \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh index 8800315d6..5c2c7965f 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/run_all.sh @@ -29,3 +29,5 @@ export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD +echo "Now you should be able to open browser to access http://localhost:8080 with user above." +echo "If you encounter some errors, please refer to target folder for app logs ." \ No newline at end of file diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh index 5d3685978..0c38220d7 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/run_all.sh @@ -36,3 +36,4 @@ export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD +echo "Now you should be able to open browser to access http://localhost:8080 with user above." From 6c742a52c3a996b246beea1343b826925f89554d Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 18 Mar 2022 00:01:28 +0800 Subject: [PATCH 29/38] update README.md --- .../aad-resource-server-by-filter/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/README.md index bd715a230..40f31e599 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/README.md @@ -26,7 +26,10 @@ To run this sample, you'll need: #### Note - If you are not the admin, you need consent from your admin for the the `Directory.Read.All` permission. For details see [Directory Permissions](https://docs.microsoft.com/graph/permissions-reference#directory-permissions) -## Examples +## Running Sample With Terraform +Please refer to [README.md](terraform/README.md) if you want to start the sample with Terraform in just a few steps. + +## Running Sample Step by Step ### Step 1: Clone or download this repository From d26cc4169d47cf26c3f20438c345ea0a1ee6a52d Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 18 Mar 2022 01:09:47 +0800 Subject: [PATCH 30/38] scripts update --- .../terraform/README.md | 6 +++-- .../terraform/main.tf | 23 ++++--------------- .../terraform/README.md | 2 +- .../run_all.sh | 15 ++++++------ .../run_all.sh | 8 ++++++- .../client-access-resource-server/README.md | 2 +- .../servlet/oauth2/login/README.md | 2 +- .../README.md | 2 +- .../terraform/main.tf | 6 +++++ .../README.md | 2 +- .../terraform/main.tf | 3 ++- 11 files changed, 35 insertions(+), 36 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md index 5142c6288..628dd4780 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/README.md @@ -78,9 +78,11 @@ Running the command below to export environment values: ```shell source ./terraform/setup_env.sh ``` -You will see output like below, save this output of `created user` to login. +You will see output like below, save this output to use later. ```shell -... + +AZURE_CLIENT_ID=... +AZURE_TENANT_ID=... --------created user-------- USER_NAME=... USER_PASSWORD=... diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 51e88efe5..5d332225b 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -23,10 +23,10 @@ resource "random_string" "random" { data "azuread_client_config" "current" {} -resource "random_uuid" "role-Admin" { +resource "random_uuid" "role-admin" { } -resource "random_uuid" "role-User" { +resource "random_uuid" "role-user" { } # Configure the Azure Active Directory Provider @@ -68,19 +68,10 @@ resource "azuread_application" "resourceserver" { description = "Full admin access" display_name = "Admin" enabled = true - id = random_uuid.role-Admin.result + id = random_uuid.role-admin.result value = "Admin" } - app_role { - allowed_member_types = ["User"] - description = "Normal user access" - display_name = "Normal user access" - enabled = true - id = random_uuid.role-User.result - value = "NormalUserAccess" - } - web { implicit_grant { access_token_issuance_enabled = true @@ -108,13 +99,7 @@ resource "azuread_user" "user" { } resource "azuread_app_role_assignment" "admin" { - app_role_id = random_uuid.role-Admin.result - principal_object_id = azuread_user.user.object_id - resource_object_id = azuread_service_principal.resourceserver.object_id -} - -resource "azuread_app_role_assignment" "user" { - app_role_id = random_uuid.role-User.result + app_role_id = random_uuid.role-admin.result principal_object_id = azuread_user.user.object_id resource_object_id = azuread_service_principal.resourceserver.object_id } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md index fc70d8166..d2ea25b9a 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md @@ -97,7 +97,7 @@ mvn clean spring-boot:run ``` ## Verify This Sample - +Now you should be able to open browser to access http://localhost:8080 with the saved user information. ## Clean Up Resources After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh index adfd9a3e5..6d5db486e 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh @@ -9,16 +9,15 @@ com.azure.spring:spring-cloud-azure-starter-active-directory-resource-server,\ com.azure.spring:spring-cloud-azure-starter-active-directory-resource-server-obo,\ com.azure.spring:spring-cloud-azure-starter-active-directory-webapp -export terraform_path="./terraform" -export AZURE_TENANT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_TENANT_ID) -export AZURE_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw AZURE_CLIENT_ID) -export AZURE_CLIENT_SECRET=$(terraform -chdir=$terraformpath output -raw AZURE_CLIENT_SECRET) -export WEB_API_A_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_A_CLIENT_ID) -export WEB_API_A_CLIENT_SECRET=$(terraform -chdir=$terraformpath output -raw WEB_API_A_CLIENT_SECRET) +export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) +export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) +export AZURE_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_SECRET) +export WEB_API_A_CLIENT_ID=$(terraform -chdir=./terraform output -raw WEB_API_A_CLIENT_ID) +export WEB_API_A_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw WEB_API_A_CLIENT_SECRET) export WEB_API_A_APP_ID_URL=api://$WEB_API_A_CLIENT_ID -export WEB_API_B_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_B_CLIENT_ID) +export WEB_API_B_CLIENT_ID=$(terraform -chdir=./terraform output -raw WEB_API_B_CLIENT_ID) export WEB_API_B_APP_ID_URL=api://$WEB_API_B_CLIENT_ID -export WEB_API_C_CLIENT_ID=$(terraform -chdir=$terraformpath output -raw WEB_API_C_CLIENT_ID) +export WEB_API_C_CLIENT_ID=$(terraform -chdir=./terraform output -raw WEB_API_C_CLIENT_ID) export WEB_API_C_APP_ID_URL=api://$WEB_API_C_CLIENT_ID diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh index bc27ec9de..1a6086382 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -22,10 +22,16 @@ export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWO echo "--------Running apps--------" mkdir -p target +sleep 3 +echo "--------Running client--------" nohup java -jar client/target/*.jar > target/client.log 2>&1 & +sleep 3 +echo "--------resource-server-1--------" nohup java -jar resource-server-1/target/*.jar > target/resource-server-1.log 2>&1 & +sleep 3 +echo "--------resource-server-2--------" nohup java -jar resource-server-2/target/*.jar > target/resource-server-2.log 2>&1 & -sleep 10 +sleep 3 echo "All apps started, please check target folder for logs." echo "You can use the user info below to login." echo "--------created user--------" diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md b/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md index 15a77124a..d5d5b2ede 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# Into the directory of client-access-multiple-resource-server +# Into the directory of client-access-resource-server # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-security/servlet/oauth2/login/README.md b/aad/spring-security/servlet/oauth2/login/README.md index 604d24ce3..dccdee41b 100644 --- a/aad/spring-security/servlet/oauth2/login/README.md +++ b/aad/spring-security/servlet/oauth2/login/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# Into the directory of client-access-multiple-resource-server +# Into the directory of login # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md index 15a77124a..b4796a3b5 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# Into the directory of client-access-multiple-resource-server +# Into the directory of resource-server-check-permissions-by-claims-in-access-token # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf index 3b1e7b66b..cf369f13d 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf @@ -169,6 +169,12 @@ resource "azuread_user" "user" { password = "Azure123456@" } +resource "azuread_service_principal_delegated_permission_grant" "resource-server-1" { + service_principal_object_id = azuread_service_principal.client-1.object_id + resource_service_principal_object_id = azuread_service_principal.resource-server-1.object_id + claim_values = ["resource-server-1.scope-1"] +} + resource "null_resource" "set_env" { triggers = { application_id = azuread_service_principal.resource-server-1.application_id diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md index 15a77124a..3a4c28593 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/README.md @@ -51,7 +51,7 @@ After login Azure CLI with your account, now you can use the terraform script to #### Run with Bash ```shell -# Into the directory of client-access-multiple-resource-server +# Into the directory of resource-server-support-on-behalf-of-flow # Initialize your Terraform configuration terraform -chdir=./terraform init diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf index 303051316..6938a858e 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf @@ -240,7 +240,8 @@ resource "azuread_user" "user" { resource "null_resource" "set_env" { triggers = { - application_id = azuread_service_principal.resource-server-1.application_id + application_id_1 = azuread_service_principal.resource-server-1.application_id + application_id_2 = azuread_service_principal.resource-server-2.application_id } provisioner "local-exec" { From 43d80eb2781d9a9fef9ddde9c72b2035cb774423 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 18 Mar 2022 01:29:22 +0800 Subject: [PATCH 31/38] scripts update, small fix --- .../terraform/main.tf | 4 +--- .../aad-resource-server-by-filter/terraform/main.tf | 2 +- .../web-client-access-resource-server/terraform/main.tf | 4 +--- .../webflux/oauth2/spring-cloud-gateway/terraform/main.tf | 4 +--- .../client-access-multiple-resource-server/terraform/main.tf | 4 +--- .../oauth2/client-access-resource-server/terraform/main.tf | 4 +--- .../terraform/main.tf | 4 +--- .../terraform/setup_env.sh | 2 -- .../terraform/main.tf | 5 +---- 9 files changed, 8 insertions(+), 25 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index 5d332225b..e47fbfdc9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -105,9 +105,7 @@ resource "azuread_app_role_assignment" "admin" { } resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.resourceserver.application_id - } + depends_on = [azuread_service_principal.resourceserver] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index c9806f665..e2d89119f 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -73,8 +73,8 @@ resource "azuread_service_principal" "msgraph" { use_existing = true } - resource "azuread_service_principal_delegated_permission_grant" "graph" { + service_principal_object_id = azuread_service_principal.aadresourceserverbyfilter.object_id resource_service_principal_object_id = azuread_service_principal.msgraph.object_id claim_values = ["Directory.Read.All", "User.Read.All"] diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf index f8b4304d9..bbf38dd2b 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf @@ -320,9 +320,7 @@ resource "azuread_app_role_assignment" "webApiB_User" { } resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.webApiC.application_id - } + depends_on = [azuread_service_principal.webApiC] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" diff --git a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf index ef1444f83..9a8727317 100644 --- a/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf +++ b/aad/spring-security/reactive/webflux/oauth2/spring-cloud-gateway/terraform/main.tf @@ -239,9 +239,7 @@ resource "azuread_user" "user" { } resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.resource-server-1.application_id - } + depends_on = [azuread_service_principal.resource-server-1] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf index 303051316..d7b683eef 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/terraform/main.tf @@ -239,9 +239,7 @@ resource "azuread_user" "user" { } resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.resource-server-1.application_id - } + depends_on = [azuread_service_principal.resource-server-1] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf index 9a9267328..1b49147a4 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/terraform/main.tf @@ -170,9 +170,7 @@ resource "azuread_user" "user" { } resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.resource-server-1.application_id - } + depends_on = [azuread_service_principal.resource-server-1] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf index cf369f13d..42bdec289 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/main.tf @@ -176,9 +176,7 @@ resource "azuread_service_principal_delegated_permission_grant" "resource-server } resource "null_resource" "set_env" { - triggers = { - application_id = azuread_service_principal.resource-server-1.application_id - } + depends_on = [azuread_service_principal.resource-server-1] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" diff --git a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh index c91569d95..40f0e64da 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh +++ b/aad/spring-security/servlet/oauth2/resource-server-check-permissions-by-claims-in-access-token/terraform/setup_env.sh @@ -1,7 +1,6 @@ export TENANT_ID=$(terraform -chdir=./terraform output -raw TENANT_ID) export CLIENT_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_ID) export RESOURCE_SERVER_1_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_ID) -export RESOURCE_SERVER_2_CLIENT_ID=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_2_CLIENT_ID) export CLIENT_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw CLIENT_1_CLIENT_SECRET) export RESOURCE_SERVER_1_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw RESOURCE_SERVER_1_CLIENT_SECRET) export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) @@ -10,7 +9,6 @@ export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) echo TENANT_ID=$TENANT_ID echo CLIENT_1_CLIENT_ID=$CLIENT_1_CLIENT_ID echo RESOURCE_SERVER_1_CLIENT_ID=$RESOURCE_SERVER_1_CLIENT_ID -echo RESOURCE_SERVER_2_CLIENT_ID=$RESOURCE_SERVER_2_CLIENT_ID echo CLIENT_1_CLIENT_SECRET=$CLIENT_1_CLIENT_SECRET echo RESOURCE_SERVER_1_CLIENT_SECRET=$RESOURCE_SERVER_1_CLIENT_SECRET diff --git a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf index 6938a858e..6844631fc 100644 --- a/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf +++ b/aad/spring-security/servlet/oauth2/resource-server-support-on-behalf-of-flow/terraform/main.tf @@ -239,10 +239,7 @@ resource "azuread_user" "user" { } resource "null_resource" "set_env" { - triggers = { - application_id_1 = azuread_service_principal.resource-server-1.application_id - application_id_2 = azuread_service_principal.resource-server-2.application_id - } + depends_on = [azuread_service_principal.resource-server-2] provisioner "local-exec" { command = "/bin/bash set_identifier_uris.sh" From 29ba16243b6d83f5cbbba843939b02cabe67374e Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 18 Mar 2022 14:40:21 +0800 Subject: [PATCH 32/38] - update terraform scripts - update yaml --- .../src/main/resources/application.yml | 2 +- .../aad-resource-server-by-filter/terraform/main.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml index 2c1857ccd..da83e894c 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml @@ -20,4 +20,4 @@ spring: user-group: allowed-group-names: group1,group2 redirect-uri-template: http://localhost:8080/ - + jwt-connect-timeout: 5000 \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf index e2d89119f..5c0a300a9 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/terraform/main.tf @@ -34,8 +34,8 @@ resource "azuread_application" "aadresourceserverbyfilter" { resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph resource_access { - id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All - type = "Role" + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" } resource_access { @@ -77,7 +77,7 @@ resource "azuread_service_principal_delegated_permission_grant" "graph" { service_principal_object_id = azuread_service_principal.aadresourceserverbyfilter.object_id resource_service_principal_object_id = azuread_service_principal.msgraph.object_id - claim_values = ["Directory.Read.All", "User.Read.All"] + claim_values = ["Directory.Read.All", "User.Read"] } # Retrieve domain information From b7bc32628d3fee9d7f8a4cf931f2f69601ad3c56 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 18 Mar 2022 15:07:04 +0800 Subject: [PATCH 33/38] - update aad-resource-server-by-filter-stateless --- .../README.md | 6 +++--- .../sample/aad/controller/MainController.java | 2 +- .../terraform/main.tf | 15 +++++++++++++++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md index ac0e3de3d..6b3beef44 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/README.md @@ -5,7 +5,7 @@ This demo project explains the usage of the stateless authentication filter `AadAppRoleStatelessAuthenticationFilter`. This project is composed of a vue.js frontend and a simple backend with three endpoints * `/public` (accessible by anyone) -* `/authorized` (role "user" required) +* `/authorized` (role "UserRule" required) * `/admin/demo` (role "admin" required). ## Getting started @@ -42,11 +42,11 @@ For the test SPA provided with this example you should create the following role "allowedMemberTypes": [ "User" ], - "displayName": "User", + "displayName": "UserRule", "id": "f8ed78b5-fabc-488e-968b-baa48a570001", "isEnabled": true, "description": "Normal user access", - "value": "User" + "value": "UserRule" } ], ``` diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/src/main/java/com/azure/spring/sample/aad/controller/MainController.java b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/src/main/java/com/azure/spring/sample/aad/controller/MainController.java index 0d9361ec2..c047c236d 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/src/main/java/com/azure/spring/sample/aad/controller/MainController.java +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/src/main/java/com/azure/spring/sample/aad/controller/MainController.java @@ -19,7 +19,7 @@ public String publicMethod() { @GetMapping("/authorized") @ResponseBody - @PreAuthorize("hasRole('ROLE_User')") + @PreAuthorize("hasRole('ROLE_UserRule')") public String onlyAuthorizedUsers() { return "authorized endpoint response"; } diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf index e47fbfdc9..3abe16310 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless/terraform/main.tf @@ -72,6 +72,15 @@ resource "azuread_application" "resourceserver" { value = "Admin" } + app_role { + allowed_member_types = ["User"] + description = "User rule" + display_name = "UserRule" + enabled = true + id = random_uuid.role-user.result + value = "UserRule" + } + web { implicit_grant { access_token_issuance_enabled = true @@ -104,6 +113,12 @@ resource "azuread_app_role_assignment" "admin" { resource_object_id = azuread_service_principal.resourceserver.object_id } +resource "azuread_app_role_assignment" "user_role" { + app_role_id = random_uuid.role-user.result + principal_object_id = azuread_user.user.object_id + resource_object_id = azuread_service_principal.resourceserver.object_id +} + resource "null_resource" "set_env" { depends_on = [azuread_service_principal.resourceserver] From c5e1632c81fb11c521babcd8f9eed8917c64c418 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Fri, 18 Mar 2022 16:16:42 +0800 Subject: [PATCH 34/38] - fix bugs - delete terraform in aad-web-application-and-resource-server --- .../README.md | 5 +- .../terraform/README.md | 112 ----------------- .../terraform/main.tf | 116 ------------------ .../terraform/outputs.tf | 26 ---- .../terraform/setup_env.sh | 15 --- .../src/main/resources/application.yml | 14 +-- .../run_all.sh | 5 +- .../terraform/main.tf | 115 +++++++++-------- 8 files changed, 73 insertions(+), 335 deletions(-) delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf delete mode 100644 aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md index 5fb58c578..f1e16039d 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md +++ b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/README.md @@ -4,10 +4,7 @@ This scenario supports `Web application` and `Resource server` in one application. -## Running Sample With Terraform -Please refer to [README.md](terraform/README.md) if you want to start the sample with Terraform in just a few steps. - -## Running Sample Step by Step +## Getting started We assume that when used as a Resource server, it is called `WebApiC`; when used as a Web application, it is called `WebApp2`. diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md deleted file mode 100644 index d2ea25b9a..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# Spring Boot application with Azure Active Directory - -## What You Need - -- [An Azure subscription](https://azure.microsoft.com/free/) -- [Terraform](https://www.terraform.io/) -- [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli) -- [JDK8](https://www.oracle.com/java/technologies/downloads/) or later -- Maven -- You can also import the code straight into your IDE: - - [IntelliJ IDEA](https://www.jetbrains.com/idea/download) - -## Provision Azure Resources Required to Run This Sample - -### Authenticate Using the Azure CLI -Terraform must authenticate to Azure to create infrastructure. - -In your terminal, use the Azure CLI tool to setup your account permissions locally. - -```shell -az login --tenant [your-tenant] --allow-no-subscriptions -``` - -Your browser window will open and you will be prompted to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information. You do not need to save this output as it is saved in your system for Terraform to use. - -```shell -You have logged in. Now let us find all the subscriptions to which you have access... - -[ - { - "cloudName": "AzureCloud", - "homeTenantId": "home-Tenant-Id", - "id": "subscription-id", - "isDefault": true, - "managedByTenants": [], - "name": "Subscription-Name", - "state": "Enabled", - "tenantId": "0envbwi39-TenantId", - "user": { - "name": "your-username@domain.com", - "type": "user" - } - } -] -``` - -### Provision the Resources - -After login Azure CLI with your account, now you can use the terraform script to create Azure Resources. - -#### Run with Bash - -```shell -# In the root directory of aad-web-application-and-resource-server -# Initialize your Terraform configuration -terraform -chdir=./terraform init - -# Apply your Terraform Configuration -terraform -chdir=./terraform apply -auto-approve - -``` - -It may take a few minutes to run the script. After successful running, you will see prompt information like below: - -```shell -... -Apply complete! Resources: * added, * changed, * destroyed. - -``` - -You can go to [Azure portal](https://ms.portal.azure.com/) in your web browser to check the resources you created. - -### Export Output to Your Local Environment -Running the command below to export environment values: - -#### Run with Bash - -```shell -source ./terraform/setup_env.sh -``` - -You will see output like below, save this output of `created user` to login. -```shell -... ---------created user-------- -USER_NAME=... -USER_PASSWORD=... - -``` - -## Run Locally - -In your current terminal, run `mvn clean spring-boot:run`. - -```shell -mvn clean spring-boot:run -``` - -## Verify This Sample -Now you should be able to open browser to access http://localhost:8080 with the saved user information. - -## Clean Up Resources -After running the sample, if you don't want to run the sample, remember to destroy the Azure resources you created to avoid unnecessary billing. - -The terraform destroy command terminates resources managed by your Terraform project. -To destroy the resources you created. - -#### Run with Bash - -```shell -terraform -chdir=./terraform destroy -auto-approve -``` diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf deleted file mode 100644 index 07e66bbb9..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/main.tf +++ /dev/null @@ -1,116 +0,0 @@ -terraform { - required_providers { - azuread = { - source = "hashicorp/azuread" - version = "2.19.0" - } - random = { - source = "hashicorp/random" - version = "3.1.0" - } - } -} - -resource "random_string" "random" { - length = 5 - min_lower = 5 - special = false -} - -data "azuread_client_config" "current" {} - -# Configure the Azure Active Directory Provider -provider "azuread" { -} - -# Configure webapp_resourceserver -resource "azuread_application" "webapp_resourceserver" { - display_name = "webapp_resourceserver-${random_string.random.result}" - - owners = [data.azuread_client_config.current.object_id] - # single tenant - sign_in_audience = "AzureADMyOrg" - - api { - requested_access_token_version = 2 - } - - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph - - resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - type = "Scope" - } - - resource_access { - id = "06da0dbc-49e2-44d2-8312-53f166ab848a" # Directory.Read.All - type = "Scope" - } - } - - required_resource_access { - resource_app_id = "797f4846-ba00-4fd7-ba43-dac1f8f63013" # Azure Service Management - - resource_access { - id = "41094075-9dad-400e-a0bd-54e686782033" # user_impersonation - type = "Scope" - } - - } - - web { - redirect_uris = ["http://localhost:8080/login/oauth2/code/"] - - implicit_grant { - access_token_issuance_enabled = true - id_token_issuance_enabled = true - } - } -} - -resource "azuread_service_principal" "webapp_resourceserver" { - application_id = azuread_application.webapp_resourceserver.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] -} - -resource "azuread_application_password" "webapp_resourceserver" { - application_object_id = azuread_application.webapp_resourceserver.object_id -} - -data "azuread_application_published_app_ids" "well_known" {} - -resource "azuread_service_principal" "msgraph" { - application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph - use_existing = true -} - -resource "azuread_service_principal" "management" { - application_id = data.azuread_application_published_app_ids.well_known.result.AzureServiceManagement - use_existing = true -} - -resource "azuread_service_principal_delegated_permission_grant" "graph" { - service_principal_object_id = azuread_service_principal.webapp_resourceserver.object_id - resource_service_principal_object_id = azuread_service_principal.msgraph.object_id - claim_values = ["Directory.Read.All", "User.Read"] -} - -resource "azuread_service_principal_delegated_permission_grant" "management" { - service_principal_object_id = azuread_service_principal.webapp_resourceserver.object_id - resource_service_principal_object_id = azuread_service_principal.management.object_id - claim_values = ["user_impersonation"] -} - -# Retrieve domain information -data "azuread_domains" "example" { - only_initial = true -} - -# Create a user -resource "azuread_user" "user" { - user_principal_name = "security-${random_string.random.result}@${data.azuread_domains.example.domains.0.domain_name}" - display_name = "security-${random_string.random.result}" - password = "Azure123456@" -} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf deleted file mode 100644 index c2db4eacb..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/outputs.tf +++ /dev/null @@ -1,26 +0,0 @@ -output "AZURE_TENANT_ID" { - value = data.azuread_client_config.current.tenant_id - description = "The Azure tenant id." -} - -output "AZURE_CLIENT_ID" { - value = azuread_application.webapp_resourceserver.application_id - description = "The application id." -} - -output "AZURE_CLIENT_SECRET" { - value = azuread_application_password.webapp_resourceserver.value - sensitive = true - description = "A secret string the application uses to prove its identity." -} - -output "USER_PASSWORD" { - value = azuread_user.user.password - sensitive = true - description = "The password of the user created by terraform." -} - -output "USER_PRINCIPAL_NAME" { - value = azuread_user.user.user_principal_name - description = "The user name of the user created by terraform." -} diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh b/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh deleted file mode 100644 index d1a25e8a9..000000000 --- a/aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server/terraform/setup_env.sh +++ /dev/null @@ -1,15 +0,0 @@ -export AZURE_TENANT_ID=$(terraform -chdir=./terraform output -raw AZURE_TENANT_ID) -export AZURE_CLIENT_ID=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) -export AZURE_CLIENT_SECRET=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_SECRET) -export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) -export USER_PRINCIPAL_NAME=$(terraform -chdir=./terraform output -raw USER_PRINCIPAL_NAME) -export WEB_API_C_APP_ID_URL=$(terraform -chdir=./terraform output -raw AZURE_CLIENT_ID) - -echo AZURE_TENANT_ID=$AZURE_TENANT_ID -echo AZURE_CLIENT_ID=$AZURE_CLIENT_ID -echo AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET -echo WEB_API_C_APP_ID_URL=$WEB_API_C_APP_ID_URL - -echo "--------created user--------" -echo USER_PRINCIPAL_NAME=$USER_PRINCIPAL_NAME -echo USER_PASSWORD=$USER_PASSWORD \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/application.yml index f2c5f7e6b..523b83bba 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/application.yml +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/aad-web-application/src/main/resources/application.yml @@ -31,10 +31,10 @@ spring: scopes: - https://graph.microsoft.com/User.Read - https://graph.microsoft.com/Directory.Read.All - # webapiA: # This is used to demonstrate on-behalf-of function. Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow - # scopes: - # - ${WEB_API_A_APP_ID_URL}/Obo.WebApiA.ExampleScope - # webapiB: # This is used to demonstrate client_credentials type. Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow - # scopes: - # - api://${WEB_API_B_APP_ID_URL}/.default - # authorization-grant-type: client_credentials \ No newline at end of file + webapiA: # This is used to demonstrate on-behalf-of function. Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow + scopes: + - ${WEB_API_A_APP_ID_URL}/Obo.WebApiA.ExampleScope + webapiB: # This is used to demonstrate client_credentials type. Refs: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow + scopes: + - ${WEB_API_B_APP_ID_URL}/.default + authorization-grant-type: client_credentials \ No newline at end of file diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh index 6d5db486e..d0d3829e5 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/run_all.sh @@ -36,8 +36,9 @@ echo "All apps started, please check target folder for logs." echo "You can use the user info below to login." echo "--------created user--------" # user -export USER_NAME=$(terraform -chdir=$terraform_path output -raw USER_NAME) -export USER_PASSWORD=$(terraform -chdir=$terraform_path output -raw USER_PASSWORD) +export USER_NAME=$(terraform -chdir=./terraform output -raw USER_NAME) +export USER_PASSWORD=$(terraform -chdir=./terraform output -raw USER_PASSWORD) + echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD echo "Now you should be able to open browser to access http://localhost:8080 with user above." diff --git a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf index bbf38dd2b..adefc09a4 100644 --- a/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf +++ b/aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server/terraform/main.tf @@ -43,9 +43,56 @@ data "azuread_client_config" "current" {} provider "azuread" { } + +# ====================Configure webApiB==================== +resource "azuread_application" "webApiB" { + display_name = "webApiB-${random_string.random.result}" + + owners = [data.azuread_client_config.current.object_id] + # single tenant + sign_in_audience = "AzureADMyOrg" + + api { + requested_access_token_version = 2 + + oauth2_permission_scope { + admin_consent_description = "WebApiB.ExampleScope" + admin_consent_display_name = "WebApiB.ExampleScope" + enabled = true + id = random_uuid.webApiB.result + type = "User" + value = "WebApiB.ExampleScope" + } + } + + app_role { + allowed_member_types = ["User"] + description = "WebApiB.ClientCredential.ExampleScope" + display_name = "WebApiB.ClientCredential.ExampleScope" + enabled = true + id = random_uuid.WebApiB_ClientCredential_ExampleScope.result + value = "WebApiB.ClientCredential.ExampleScope" + } + + required_resource_access { + resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph + + resource_access { + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read + type = "Scope" + } + } +} + +resource "azuread_service_principal" "webApiB" { + application_id = azuread_application.webApiB.application_id + app_role_assignment_required = false + owners = [data.azuread_client_config.current.object_id] +} + # ====================Configure webapp==================== resource "azuread_application" "webapp" { - display_name = "webapp" + display_name = "webapp-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -76,7 +123,15 @@ resource "azuread_application" "webapp" { id = "41094075-9dad-400e-a0bd-54e686782033" # user_impersonation type = "Scope" } + } + + required_resource_access { + resource_app_id = azuread_application.webApiB.application_id + resource_access { + id = random_uuid.WebApiB_ClientCredential_ExampleScope.result # WebApiB_ClientCredential_ExampleScope + type = "Scope" + } } web { @@ -123,55 +178,15 @@ resource "azuread_service_principal_delegated_permission_grant" "management" { claim_values = ["user_impersonation"] } -# ====================Configure webApiB==================== -resource "azuread_application" "webApiB" { - display_name = "webApiB" - - owners = [data.azuread_client_config.current.object_id] - # single tenant - sign_in_audience = "AzureADMyOrg" - - api { - requested_access_token_version = 2 - - oauth2_permission_scope { - admin_consent_description = "WebApiB.ExampleScope" - admin_consent_display_name = "WebApiB.ExampleScope" - enabled = true - id = random_uuid.webApiB.result - type = "User" - value = "WebApiB.ExampleScope" - } - } - - app_role { - allowed_member_types = ["User"] - description = "WebApiB.ClientCredential.ExampleScope" - display_name = "WebApiB.ClientCredential.ExampleScope" - enabled = true - id = random_uuid.WebApiB_ClientCredential_ExampleScope.result - value = "WebApiB.ClientCredential.ExampleScope" - } - - required_resource_access { - resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph - - resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read - type = "Scope" - } - } -} - -resource "azuread_service_principal" "webApiB" { - application_id = azuread_application.webApiB.application_id - app_role_assignment_required = false - owners = [data.azuread_client_config.current.object_id] +resource "azuread_service_principal_delegated_permission_grant" "webapp" { + service_principal_object_id = azuread_service_principal.webapp.object_id + resource_service_principal_object_id = azuread_service_principal.webApiB.object_id + claim_values = ["WebApiB_ClientCredential_ExampleScope"] } # ====================Configure webApiC==================== resource "azuread_application" "webApiC" { - display_name = "webApiC" + display_name = "webApiC-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -208,7 +223,7 @@ resource "azuread_service_principal" "webApiC" { # ====================Configure webApiA==================== resource "azuread_application" "webApiA" { - display_name = "webApiA" + display_name = "webApiA-${random_string.random.result}" owners = [data.azuread_client_config.current.object_id] # single tenant @@ -312,12 +327,6 @@ resource "azuread_user" "user" { password = "Azure123456@" } -# assign role to user -resource "azuread_app_role_assignment" "webApiB_User" { - app_role_id = random_uuid.WebApiB_ClientCredential_ExampleScope.result - principal_object_id = azuread_user.user.object_id - resource_object_id = azuread_service_principal.webApiB.object_id -} resource "null_resource" "set_env" { depends_on = [azuread_service_principal.webApiC] From c724d3c4b5e58ca52e713dd82610a029c79a6b2b Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Mon, 21 Mar 2022 10:50:07 +0800 Subject: [PATCH 35/38] format markdown --- README.md | 71 +++++++++++++++++++++++++++---------------------------- 1 file changed, 35 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 2fe7e5f72..c1d7b889d 100644 --- a/README.md +++ b/README.md @@ -27,49 +27,48 @@ ## All samples in this repo -| Azure Service | Spring Cloud Azure Starter Dependency | Sample Project | -|------------------|---------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------| +| Azure Service | Spring Cloud Azure Starter Dependency | Sample Project | +|------------------|---------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------| | AAD | [spring-cloud-azure-starter-active-directory-b2c:4.0.0-beta.4] | [aad-b2c-resource-server](aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-resource-server) | | AAD | [spring-cloud-azure-starter-active-directory-b2c:4.0.0-beta.4] | [aad-b2c-web-application](aad/spring-cloud-azure-starter-active-directory-b2c/aad-b2c-web-application) | | AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-by-filter-stateless](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter-stateless) | | AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-by-filter](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server-obo](aad/spring-cloud-azure-starter-active-directory/aad-resource-server-obo) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-resource-server](aad/spring-cloud-azure-starter-active-directory/aad-resource-server) | -| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-web-application](aad/spring-cloud-azure-starter-active-directory/aad-web-application) | +| AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [web-client-access-resource-server](aad/spring-cloud-azure-starter-active-directory/web-client-access-resource-server) | | AAD | [spring-cloud-azure-starter-active-directory:4.0.0-beta.4] | [aad-webapp-resource-server](aad/spring-cloud-azure-starter-active-directory/aad-web-application-and-resource-server) | -| App Configuration| [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [azure-appconfiguration-conversion-sample-initial](appconfiguration/azure-appconfiguration-conversion-sample-initial) | -| App Configuration| [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-sample](appconfiguration/azure-appconfiguration-sample) | -| App Configuration| [azure-spring-cloud-feature-management:2.2.0] | [feature-management-sample](appconfiguration/feature-management-sample) | -| App Configuration| [azure-spring-cloud-feature-management:2.2.0] | [feature-management-web-sample](appconfiguration/feature-management-web-sample) | -| App Configuration| [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-conversion-sample-complete](appconfiguration/azure-appconfiguration-conversion-sample-complete) | -| Cache | N/A | [azure-spring-cloud-sample-cache](cache/spring-cloud-azure-starter/spring-cloud-azure-sample-cache) | -| Cloud Foundry | N/A | [azure-cloud-foundry-service-sample](cloudfoundry/azure-cloud-foundry-service-sample) | -| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-multi-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-multi-account) | -| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-single-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-single-account) | -| Cosmos DB | [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [spring-cloud-azure-data-cosmos-sample](cosmos/spring-cloud-azure-starter-data-cosmos/spring-cloud-azure-data-cosmos-sample) | -| Cosmos DB | [spring-cloud-azure-starter-cosmos:4.0.0-beta.4] | [spring-cloud-azure-cosmos-sample](cosmos/spring-cloud-azure-starter-cosmos/spring-cloud-azure-cosmos-sample) | -| Event Hubs | N/A | [spring-cloud-azure-sample-eventhubs-kafka](eventhubs/spring-cloud-azure-starter/spring-cloud-azure-sample-eventhubs-kafka) | -| Event Hubs | [spring-cloud-azure-starter-integration-eventhubs:4.0.0-beta.4] | [eventhubs-integration](eventhubs/spring-cloud-azure-starter-integration-eventhubs/eventhubs-integration) | -| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-binder](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-binder) | -| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-multibinders](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-multibinders) | -| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-client-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-client-side) | -| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-server-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-server-side) | -| Key Vault | | [run-with-command-line-server-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-server-side) | -| Key Vault | | [run-with-command-line-client-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-client-side) | -| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [property-source](keyvault/spring-cloud-azure-starter-keyvault-secrets/property-source) | -| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [secret-client](keyvault/spring-cloud-azure-starter-keyvault-secrets/secret-client) | +| App Configuration| [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [azure-appconfiguration-conversion-sample-initial](appconfiguration/azure-appconfiguration-conversion-sample-initial) | +| App Configuration| [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [azure-appconfiguration-conversion-sample-initial](appconfiguration/azure-appconfiguration-conversion-sample-initial) | +| App Configuration| [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-sample](appconfiguration/azure-appconfiguration-sample) | +| App Configuration| [azure-spring-cloud-feature-management:2.2.0] | [feature-management-sample](appconfiguration/feature-management-sample) | +| App Configuration| [azure-spring-cloud-feature-management:2.2.0] | [feature-management-web-sample](appconfiguration/feature-management-web-sample) | +| App Configuration| [azure-spring-cloud-appconfiguration-config:2.3.0] | [azure-appconfiguration-conversion-sample-complete](appconfiguration/azure-appconfiguration-conversion-sample-complete) | +| Cache | N/A | [azure-spring-cloud-sample-cache](cache/spring-cloud-azure-starter/spring-cloud-azure-sample-cache) | +| Cloud Foundry | N/A | [azure-cloud-foundry-service-sample](cloudfoundry/azure-cloud-foundry-service-sample) | +| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-multi-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-multi-account) | +| Cosmos DB | [azure-spring-data-cosmos:3.17.0] | [cosmos-multi-database-single-account](cosmos/azure-spring-data-cosmos/cosmos-multi-database-single-account) | +| Cosmos DB | [spring-cloud-azure-starter-data-cosmos:4.0.0-beta.4] | [spring-cloud-azure-data-cosmos-sample](cosmos/spring-cloud-azure-starter-data-cosmos/spring-cloud-azure-data-cosmos-sample) | +| Cosmos DB | [spring-cloud-azure-starter-cosmos:4.0.0-beta.4] | [spring-cloud-azure-cosmos-sample](cosmos/spring-cloud-azure-starter-cosmos/spring-cloud-azure-cosmos-sample) | +| Event Hubs | N/A | [spring-cloud-azure-sample-eventhubs-kafka](eventhubs/spring-cloud-azure-starter/spring-cloud-azure-sample-eventhubs-kafka) | +| Event Hubs | [spring-cloud-azure-starter-integration-eventhubs:4.0.0-beta.4] | [eventhubs-integration](eventhubs/spring-cloud-azure-starter-integration-eventhubs/eventhubs-integration) | +| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-binder](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-binder) | +| Event Hubs | [spring-cloud-azure-stream-binder-eventhubs:4.0.0-beta.4] | [eventhubs-multibinders](eventhubs/spring-cloud-azure-stream-binder-eventhubs/eventhubs-multibinders) | +| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-client-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-client-side) | +| Key Vault | [azure-spring-boot-starter-keyvault-certificates:3.13.0] | [keyvault-certificates-server-side](keyvault/azure-spring-boot-starter-keyvault-certificates/keyvault-certificates-server-side) | +| Key Vault | | [run-with-command-line-server-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-server-side) | +| Key Vault | | [run-with-command-line-client-side](keyvault/azure-securtiy-keyvault-jca/run-with-command-line-client-side) | +| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [property-source](keyvault/spring-cloud-azure-starter-keyvault-secrets/property-source) | +| Key Vault | [spring-cloud-azure-starter-keyvault-secrets:4.0.0-beta.4] | [secret-client](keyvault/spring-cloud-azure-starter-keyvault-secrets/secret-client) | | Service Bus | [spring-cloud-azure-starter-servicebus-jms:4.0.0-beta.4] | [servicebus-jms-queue](servicebus/spring-cloud-azure-starter-servicebus-jms/servicebus-jms-queue) | | Service Bus | [spring-cloud-azure-starter-servicebus-jms:4.0.0-beta.4] | [servicebus-jms-topic](servicebus/spring-cloud-azure-starter-servicebus-jms/servicebus-jms-topic) | -| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [single-namespace](servicebus/spring-cloud-azure-starter-integration-servicebus/single-namespace) | -| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [multiple-namespaces](servicebus/spring-cloud-azure-starter-integration-servicebus/multiple-namespaces) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-queue-binder) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-multibinders](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-multibinders) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-topic-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-topic-binder) | -| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-binder-arm](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-queue-binder-arm) | -| Storage | [spring-cloud-azure-starter-storage-blob:4.0.0-beta.4] | [storage-blob-sample](storage/spring-cloud-azure-starter-storage-blob/storage-blob-sample) -| Storage | [spring-cloud-azure-starter-storage-file-share:4.0.0-beta.4] | [storage-file-sample](storage/spring-cloud-azure-starter-storage-file-share/storage-file-sample) | -| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-integration](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-integration) | -| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-operation](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-operation) | +| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [single-namespace](servicebus/spring-cloud-azure-starter-integration-servicebus/single-namespace) | +| Service Bus | [spring-cloud-azure-starter-integration-servicebus:4.0.0-beta.4] | [multiple-namespaces](servicebus/spring-cloud-azure-starter-integration-servicebus/multiple-namespaces) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-queue-binder) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-multibinders](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-multibinders) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-topic-binder](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-topic-binder) | +| Service Bus | [spring-cloud-azure-stream-binder-servicebus:4.0.0-beta.4] | [servicebus-queue-binder-arm](servicebus/spring-cloud-azure-stream-binder-servicebus/servicebus-queue-binder-arm) | +| Storage | [spring-cloud-azure-starter-storage-blob:4.0.0-beta.4] | [storage-blob-sample](storage/spring-cloud-azure-starter-storage-blob/storage-blob-sample) +| Storage | [spring-cloud-azure-starter-storage-file-share:4.0.0-beta.4] | [storage-file-sample](storage/spring-cloud-azure-starter-storage-file-share/storage-file-sample) | +| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-integration](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-integration) | +| Storage | [spring-cloud-azure-starter-integration-storage-queue:4.0.0-beta.4] | [storage-queue-operation](storage/spring-cloud-azure-starter-integration-storage-queue/storage-queue-operation) | ## Running Samples With Terraform With [terraform](https://www.terraform.io/) scripts and [DefaultAzureCredential](https://microsoft.github.io/spring-cloud-azure/current/reference/html/index.html#defaultazurecredential), most samples in the project can be run with the same 4 steps below: From b76da6dcb646956d7452079a854dd1019c9705ae Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Mon, 21 Mar 2022 10:51:12 +0800 Subject: [PATCH 36/38] add an empty line --- .../src/main/resources/application.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml index da83e894c..6be328116 100644 --- a/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml +++ b/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/resources/application.yml @@ -20,4 +20,4 @@ spring: user-group: allowed-group-names: group1,group2 redirect-uri-template: http://localhost:8080/ - jwt-connect-timeout: 5000 \ No newline at end of file + jwt-connect-timeout: 5000 From b6d729814ffd4bf34d63705ba7cce5d5628a57a7 Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Mon, 21 Mar 2022 10:53:59 +0800 Subject: [PATCH 37/38] add an empty line --- .../oauth2/client-access-multiple-resource-server/run_all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh index 1a6086382..0519acf63 100644 --- a/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-multiple-resource-server/run_all.sh @@ -38,4 +38,4 @@ echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD echo "Now you should be able to open browser to access http://localhost:8080 with user above." -echo "If you encounter some errors, please refer to target folder for app logs ." \ No newline at end of file +echo "If you encounter some errors, please refer to target folder for app logs ." From 0e43776ceb1adf40503080090f30d0fadc92703a Mon Sep 17 00:00:00 2001 From: zhihaoguo Date: Mon, 21 Mar 2022 11:03:42 +0800 Subject: [PATCH 38/38] add an empty line --- .../servlet/oauth2/client-access-resource-server/run_all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh index 0bb71fa61..7883e264a 100644 --- a/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh +++ b/aad/spring-security/servlet/oauth2/client-access-resource-server/run_all.sh @@ -31,4 +31,4 @@ echo "--------created user--------" echo USER_NAME=$USER_NAME echo USER_PASSWORD=$USER_PASSWORD echo "Now you should be able to open browser to access http://localhost:8080 with user above." -echo "If you encounter some errors, please refer to target folder for app logs ." \ No newline at end of file +echo "If you encounter some errors, please refer to target folder for app logs ."