- 1. About
- 2. Get sample applications
- 3. Create resources in Azure
- 3.1. Create a tenant
- 3.2. Add a new user
- 3.3. Register client-1
- 3.4. Add a client secret for client-1
- 3.5. Add a redirect URI for client-1
- 3.6. Register resource-server-1
- 3.7. Expose apis for resource-server-1
- 3.8. Set accessTokenAcceptedVersion to 2 for resource-server-1
- 3.9. Register resource-server-2
- 3.10. Expose apis for resource-server-2
- 3.11. Set accessTokenAcceptedVersion to 2 for resource-server-2
- 4. Run sample applications
- 5. Homework
This section will demonstrate this scenario:
- Client get access token from Microsoft Entra ID
- Client use the access token to access Gateway.
- Gateway validate the access token. If the access token is valid, use the access token to access the ResourceServer. There are 2 ResourceServers, which ResourceServer to access depends on the request URL, it's configured in Gateway's application.yml. Gateway is implemented by spring-cloud-gateway
- Gateway get the response from ResourceServer, then return to Client.
Get samples applications from in GitHub: spring-cloud-gateway.
Read document about creating a Microsoft Entra tenant, create a new tenant. Get the tenant-id: ${TENANT_ID}.
After creating a new tenant, You can refer to README.md if you want to start the sample without the knowledge of step by step.
Read document about adding users, add a new user: user-1@${tenant-name}.com. Get the user's password.
Read document about registering an application, register an application named client-1. Get the client-id: ${CLIENT_1_CLIENT_ID}.
Read document about adding a client secret, add a client secret. Get the client-secret value: ${CLIENT_1_CLIENT_SECRET}.
Read document about adding a redirect URI, add 2 redirect URIs: http://localhost:8080/login/oauth2/code/client-1-resource-server-1, http://localhost:8080/login/oauth2/code/client-1-resource-server-2.
Read document about registering an application, register an application named resource-server-1. Get the client-id: ${RESOURCE_SERVER_1_CLIENT_ID}.
Read document about exposing an api, expose 2 scopes for resource-server-1: resource-server-1.scope-1 and resource-server-1.scope-2, choose Admins and users for Who can consent option.
Read document about Application manifest, set accessTokenAcceptedVersion to 2.
Read document about registering an application, register an application named resource-server-2. Get the client-id: ${RESOURCE_SERVER_2_CLIENT_ID}.
Read document about exposing an api, expose 2 scopes for resource-server-2: resource-server-2.scope-1 and resource-server-2.scope-2, choose Admins and users for Who can consent option.
Read document about Application manifest, set accessTokenAcceptedVersion to 2.
- Open sample application: client, fill the placeholders in application.yml, then run the application.
- Open sample application: gateway, fill the placeholders in application.yml, then run the application.
- Open sample application: resource-server-1, fill the placeholders in application.yml, then run the application.
- Open sample application: resource-server-2, fill the placeholders in application.yml, then run the application.
- Open browser(for example: Edge), close all InPrivate window, and open a new InPrivate window.
- Access http://localhost:8080/, it will return Hello, this is client-1..
- Access http://localhost:8080/resource-server-1, it will redirect to Microsoft consent page.
- Input username and password (update password if it requests you to), it will return permission request page: let user permit client-1 to access resource-server-1.
- Click Accept, then it will return Hello, resource-server-1.. This means Client can access ResourceServer1 through Gateway successfully.
- Access http://localhost:8080/resource-server-2, consent as before, it will return Hello, this is resource-server-2..
- Read rfc6749.