How to obtain 2nd access token in Java for Graph API with a oidc compliant token. OBO flow

Question

I am using the angular-oauth2-oidc library in Angular to login via the PKCE Authorization Flow and then passing the token to my back end to secure my custom API.

The Spring boot back end is acting as the oauth2 Resource Server and securing my custom API's using the token.

SecurityConfiguration.java

http.cors().and()
        .authorizeRequests().antMatchers("/home").permitAll()
        .and()
        .authorizeRequests().antMatchers("/actuator/health").permitAll()
        .and()
        .authorizeRequests().antMatchers("/**").authenticated()
        .and()
        .oauth2ResourceServer().jwt();

By default, Azure AD returns a valid JWT token only for Graph APIs. If you want to use the Azure AD OIDC authentication for your own API, you are dealing with a non-compliant provider. Thus I created a custom scope in the App Registration → Expose an API page. Then I added this scope in the authorization request initiated by my Angular client along with the default openid scope.

Now that I have this token, which no longer contains the ‘nonce’ in its jwt header (which I needed to do to secure my custom api), how do I go about using this token to get a new token? and then follow the On-Behalf-Of flow to create my graph api calls.

Is anyone able to guide me in the right direction on how to exactly get the 2nd access token?

Did you see this [example](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#example)? `&assertion=eyJ0eXAiOiJKV*****` is the first token. You need to include it in the request to acquire the second access token. — Allen Wu, Dec 21 '20 at 03:45
Sorry, I may be missing something. How exactly do I use that in Java? — nabeelh21, Dec 21 '20 at 04:33
See the sample code [here](https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-acquire-token?tabs=java): use `msalAuthHelper.getOboToken("https://graph.microsoft.com/.default")`. And I have provided you with a completed [Github sample](https://github.com/Azure-Samples/ms-identity-java-webapi) before. Is there any difficulty when you implement it? — Allen Wu, Dec 21 '20 at 06:42

Gary Archer · Answer 1 · 2021-03-06T20:31:38.103

1

You would need to send 2 messages in your API:

Send your access token to the token endpoint, to get a graph access token
Send the graph access token to the user info endpoint

I only have a sample in NodeJS, though the messages are quite simple, involving requests with form url encoded data, and JSON responses. So you should be able to do this fairly easily with any Java HTTP Client:

Allen's samples should demonstrate how to incorporate this into Spring Security.

edited Mar 06 '21 at 20:31

answered Dec 21 '20 at 16:39

Gary Archer

6,221
2
5
10

Thanks, I was able to find a thread on how to create POST request in Java, and got the response to come back correctly. https://stackoverflow.com/questions/1359689/how-to-send-http-request-in-java Parsing the JSON response to retreive only the new access token was another issue, but I got it working finally. – nabeelh21 Dec 22 '20 at 00:31

How to obtain 2nd access token in Java for Graph API with a oidc compliant token. OBO flow

1 Answers1