Deprecate AADB2CJwtBearerTokenAuthenticationConverter, use AADJwtBear…

…erTokenAuthenticationConverter instead. (#23444)
Azure · Aug 10, 2021 · b233ef7 · b233ef7
1 parent a804ef1
commit b233ef7
Show file tree

Hide file tree

Showing 10 changed files with 72 additions and 148 deletions.
diff --git a/sdk/spring/azure-spring-boot-starter-active-directory-b2c/CHANGELOG.md b/sdk/spring/azure-spring-boot-starter-active-directory-b2c/CHANGELOG.md
@@ -4,6 +4,8 @@
 This release is compatible with Spring Boot 2.5.0 - 2.5.3.
 ### Dependency Upgrades
 - Upgrade to [spring-boot-dependencies:2.5.3](https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.5.3/spring-boot-dependencies-2.5.3.pom).
+### Deprecations
+- Deprecate `AADB2CJwtBearerTokenAuthenticationConverter`, use `AADJwtBearerTokenAuthenticationConverter` instead.
 
 
 ## 3.7.0 (2021-07-20)

diff --git a/sdk/spring/azure-spring-boot-starter-active-directory-b2c/README.md b/sdk/spring/azure-spring-boot-starter-active-directory-b2c/README.md
@@ -356,7 +356,7 @@ This scenario not support login. Just protect the server by validating the acces
             http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
                 .oauth2ResourceServer()
                 .jwt()
-                .jwtAuthenticationConverter(new AADB2CJwtBearerTokenAuthenticationConverter());
+                .jwtAuthenticationConverter(new AADJwtBearerTokenAuthenticationConverter());
         }
     }
     ```

diff --git a/sdk/spring/azure-spring-boot-starter/CHANGELOG.md b/sdk/spring/azure-spring-boot-starter/CHANGELOG.md
@@ -7,6 +7,8 @@ This release is compatible with Spring Boot 2.5.0 - 2.5.3.
 ### New Features
 - Add property `azure.activedirectory.resource-server.principal-claim-name` to configure principal claim name.
 - Add property `azure.activedirectory.resource-server.claim-to-authority-prefix-map` to configure claim to authority prefix map.
+### Deprecations
+- Deprecate `AADB2CJwtBearerTokenAuthenticationConverter`, use `AADJwtBearerTokenAuthenticationConverter` instead.
 
 
 ## 3.7.0 (2021-07-20)

diff --git a/...ource-server/src/test/java/com/azure/test/aad/resource/server/AADWeiResourceServerIT.java b/...ource-server/src/test/java/com/azure/test/aad/resource/server/AADWeiResourceServerIT.java
@@ -75,8 +75,7 @@ public static class DumbApp extends AADResourceServerWebSecurityConfigurerAdapte
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             super.configure(http);
-            AADJwtBearerTokenAuthenticationConverter converter = new AADJwtBearerTokenAuthenticationConverter();
-            converter.setPrincipalClaimName("upn");
+            AADJwtBearerTokenAuthenticationConverter converter = new AADJwtBearerTokenAuthenticationConverter("upn");
             http.oauth2ResourceServer()
                 .jwt()
                 .jwtAuthenticationConverter(converter);

diff --git a/sdk/spring/azure-spring-boot/CHANGELOG.md b/sdk/spring/azure-spring-boot/CHANGELOG.md
@@ -7,6 +7,9 @@ This release is compatible with Spring Boot 2.5.0 - 2.5.3.
 ### New Features
 - Add property `azure.activedirectory.resource-server.principal-claim-name` to configure principal claim name.
 - Add property `azure.activedirectory.resource-server.claim-to-authority-prefix-map` to configure claim to authority prefix map.
+### Deprecations
+ - Deprecate `AADB2CJwtBearerTokenAuthenticationConverter`, use `AADJwtBearerTokenAuthenticationConverter` instead.
+
 
 ## 3.7.0 (2021-07-20)
 ### New Features

diff --git a/...oot/src/main/java/com/azure/spring/aad/AbstractJwtBearerTokenAuthenticationConverter.java b/...oot/src/main/java/com/azure/spring/aad/AbstractJwtBearerTokenAuthenticationConverter.java
diff --git a/...t/src/main/java/com/azure/spring/aad/webapi/AADJwtBearerTokenAuthenticationConverter.java b/...t/src/main/java/com/azure/spring/aad/webapi/AADJwtBearerTokenAuthenticationConverter.java
@@ -2,35 +2,43 @@
 // Licensed under the MIT License.
 package com.azure.spring.aad.webapi;
 
+import com.azure.spring.aad.AADJwtGrantedAuthoritiesConverter;
 import com.azure.spring.aad.AADOAuth2AuthenticatedPrincipal;
-import com.azure.spring.aad.AbstractJwtBearerTokenAuthenticationConverter;
 import com.azure.spring.aad.implementation.constants.AADTokenClaim;
 import com.azure.spring.aad.implementation.constants.AuthorityPrefix;
 import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
+import org.springframework.util.Assert;
 
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.Map;
-import java.util.Optional;
 
 
 /**
  * A {@link Converter} that takes a {@link Jwt} and converts it into a {@link BearerTokenAuthentication}.
  */
-public class AADJwtBearerTokenAuthenticationConverter extends AbstractJwtBearerTokenAuthenticationConverter {
+public class AADJwtBearerTokenAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
+
+    private final Converter<Jwt, Collection<GrantedAuthority>> converter;
+    private final String principalClaimName;
 
     /**
-     * Construct AADJwtBearerTokenAuthenticationConverter by AADTokenClaim.SUB and DEFAULT_CLAIM_TO_AUTHORITY_PREFIX_MAP.
+     * Construct AADJwtBearerTokenAuthenticationConverter by AADTokenClaim.SUB and
+     * DEFAULT_CLAIM_TO_AUTHORITY_PREFIX_MAP.
      */
     public AADJwtBearerTokenAuthenticationConverter() {
         this(AADTokenClaim.SUB, AADResourceServerProperties.DEFAULT_CLAIM_TO_AUTHORITY_PREFIX_MAP);
     }
 
     /**
      * Construct AADJwtBearerTokenAuthenticationConverter with the authority claim.
+     *
      * @param authoritiesClaimName authority claim name
      */
     public AADJwtBearerTokenAuthenticationConverter(String authoritiesClaimName) {
@@ -39,6 +47,7 @@ public AADJwtBearerTokenAuthenticationConverter(String authoritiesClaimName) {
 
     /**
      * Construct AADJwtBearerTokenAuthenticationConverter with the authority claim name and prefix.
+     *
      * @param authoritiesClaimName authority claim name
      * @param authorityPrefix the prefix name of the authority
      */
@@ -55,17 +64,28 @@ public AADJwtBearerTokenAuthenticationConverter(String authoritiesClaimName,
      */
     public AADJwtBearerTokenAuthenticationConverter(String principalClaimName,
                                                     Map<String, String> claimToAuthorityPrefixMap) {
-        super(principalClaimName, claimToAuthorityPrefixMap);
+        Assert.notNull(claimToAuthorityPrefixMap, "claimToAuthorityPrefixMap cannot be null");
+        this.principalClaimName = principalClaimName;
+        this.converter = new AADJwtGrantedAuthoritiesConverter(claimToAuthorityPrefixMap);
     }
 
     @Override
-    protected OAuth2AuthenticatedPrincipal getAuthenticatedPrincipal(Map<String, Object> headers,
-                                                                     Map<String, Object> claims,
-                                                                     Collection<GrantedAuthority> authorities,
-                                                                     String tokenValue) {
-        String name = Optional.ofNullable(principalClaimName)
-                              .map(n -> (String) claims.get(n))
-                              .orElseGet(() -> (String) claims.get("sub"));
-        return new AADOAuth2AuthenticatedPrincipal(headers, claims, authorities, tokenValue, name);
+    public AbstractAuthenticationToken convert(Jwt jwt) {
+        OAuth2AccessToken accessToken = new OAuth2AccessToken(
+            OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
+        Map<String, Object> claims = jwt.getClaims();
+        Collection<GrantedAuthority> authorities = converter.convert(jwt);
+        OAuth2AuthenticatedPrincipal principal = new AADOAuth2AuthenticatedPrincipal(
+            jwt.getHeaders(), claims, authorities, jwt.getTokenValue(), (String) claims.get(principalClaimName));
+        return new BearerTokenAuthentication(principal, accessToken, authorities);
+    }
+
+    private static Map<String, String> buildClaimToAuthorityPrefixMap(String authoritiesClaimName,
+                                                               String authorityPrefix) {
+        Assert.notNull(authoritiesClaimName, "authoritiesClaimName cannot be null");
+        Assert.notNull(authorityPrefix, "authorityPrefix cannot be null");
+        Map<String, String> claimToAuthorityPrefixMap = new HashMap<>();
+        claimToAuthorityPrefixMap.put(authoritiesClaimName, authorityPrefix);
+        return claimToAuthorityPrefixMap;
     }
 }
diff --git a/.../java/com/azure/spring/autoconfigure/b2c/AADB2CJwtBearerTokenAuthenticationConverter.java b/.../java/com/azure/spring/autoconfigure/b2c/AADB2CJwtBearerTokenAuthenticationConverter.java
@@ -2,64 +2,36 @@
 // Licensed under the MIT License.
 package com.azure.spring.autoconfigure.b2c;
 
-import com.azure.spring.aad.AADJwtGrantedAuthoritiesConverter;
-import com.azure.spring.aad.AADOAuth2AuthenticatedPrincipal;
-import com.azure.spring.aad.AbstractJwtBearerTokenAuthenticationConverter;
-import com.azure.spring.aad.implementation.constants.AuthorityPrefix;
+import com.azure.spring.aad.webapi.AADJwtBearerTokenAuthenticationConverter;
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 
-import java.util.Collection;
 import java.util.Map;
-import java.util.Optional;
-
-import static com.azure.spring.aad.webapi.AADResourceServerProperties.DEFAULT_CLAIM_TO_AUTHORITY_PREFIX_MAP;
 
 /**
  * A {@link Converter} that takes a {@link Jwt} and converts it into a {@link BearerTokenAuthentication}.
+ *
+ * @deprecated Use {@link AADJwtBearerTokenAuthenticationConverter} instead.
  */
-public class AADB2CJwtBearerTokenAuthenticationConverter extends AbstractJwtBearerTokenAuthenticationConverter {
+@Deprecated
+public class AADB2CJwtBearerTokenAuthenticationConverter extends AADJwtBearerTokenAuthenticationConverter {
 
-    /**
-     * Use {@link AADJwtGrantedAuthoritiesConverter}, it can resolve the access token of scp and roles.
-     */
     public AADB2CJwtBearerTokenAuthenticationConverter() {
-        this(null, DEFAULT_CLAIM_TO_AUTHORITY_PREFIX_MAP);
+        super();
     }
 
-    /**
-     * Construct AADB2CJwtBearerTokenAuthenticationConverter with the authority claim.
-     * @param authoritiesClaimName authority claim name
-     */
     public AADB2CJwtBearerTokenAuthenticationConverter(String authoritiesClaimName) {
-        this(authoritiesClaimName, AuthorityPrefix.SCOPE);
+        super(authoritiesClaimName);
     }
 
-    /**
-     * Construct AADB2CJwtBearerTokenAuthenticationConverter with the authority claim name and prefix.
-     * @param authoritiesClaimName authority claim name
-     * @param authorityPrefix the prefix name of the authority
-     */
-    public AADB2CJwtBearerTokenAuthenticationConverter(String authoritiesClaimName, String authorityPrefix) {
-        this(null, buildClaimToAuthorityPrefixMap(authoritiesClaimName, authorityPrefix));
+    public AADB2CJwtBearerTokenAuthenticationConverter(String authoritiesClaimName,
+                                                       String authorityPrefix) {
+        super(authoritiesClaimName, authorityPrefix);
     }
 
     public AADB2CJwtBearerTokenAuthenticationConverter(String principalClaimName,
                                                        Map<String, String> claimToAuthorityPrefixMap) {
         super(principalClaimName, claimToAuthorityPrefixMap);
     }
-
-    @Override
-    protected OAuth2AuthenticatedPrincipal getAuthenticatedPrincipal(Map<String, Object> headers,
-                                                                     Map<String, Object> claims,
-                                                                     Collection<GrantedAuthority> authorities,
-                                                                     String tokenValue) {
-        String name = Optional.ofNullable(principalClaimName)
-                              .map(n -> (String) claims.get(n))
-                              .orElseGet(() -> (String) claims.get("sub"));
-        return new AADOAuth2AuthenticatedPrincipal(headers, claims, authorities, tokenValue, name);
-    }
 }
diff --git a/...boot/src/samples/java/com/azure/spring/autoconfigure/b2c/ResourceServerConfiguration.java b/...boot/src/samples/java/com/azure/spring/autoconfigure/b2c/ResourceServerConfiguration.java
@@ -3,6 +3,7 @@
 
 package com.azure.spring.autoconfigure.b2c;
 
+import com.azure.spring.aad.webapi.AADJwtBearerTokenAuthenticationConverter;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -17,6 +18,6 @@ protected void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests((requests) -> requests.anyRequest().authenticated())
             .oauth2ResourceServer()
             .jwt()
-            .jwtAuthenticationConverter(new AADB2CJwtBearerTokenAuthenticationConverter());
+            .jwtAuthenticationConverter(new AADJwtBearerTokenAuthenticationConverter());
     }
 }