- 1. About
- 2. Get sample applications
- 3. Create resources in Azure
- 3.1. Create a tenant
- 3.2. Add a new user
- 3.3. Register client-1
- 3.4. Add a client secret for client-1
- 3.5. Add a redirect URI for client-1
- 3.6. Register resource-server-1
- 3.7. Add a client secret for resource-server-1
- 3.8. Add a redirect URI for resource-server-1
- 3.9. Expose apis for resource-server-1
- 3.10. Set accessTokenAcceptedVersion to 2 for resource-server-1
- 3.11. Register resource-server-2
- 3.12. Expose apis for resource-server-2
- 3.13. Set accessTokenAcceptedVersion to 2 for resource-server-1
- 3.14. Authorize resource-server-1 to access resource-server-2
- 4. Run sample applications
- 5. Homework
This section shows this scenario:
- User sign in client and client get access token by OAuth 2.0 authorization code flow.
- Client access resource-server-1 by access token.
- resource-server-1 validate the access token by validating the signature, and checking these claims:
aud,nbfandexp. - resource-server-1 use the access token to get a new access token by on behalf of flow.
- resource-server-1 use the new access token to access resource-server-2.
- resource-server-2 validate the access token by validating the signature, and checking these claims:
aud,nbfandexp.
Get samples applications from in GitHub: resource-server-support-on-behalf-of-flow.
Read document about creating a Microsoft Entra tenant, create a new tenant. Get the tenant-id: ${TENANT_ID}.
After creating a new tenant, You can refer to README.md if you want to start the sample without the knowledge of step by step.
Read document about adding users, add a new user: user-1@${tenant-name}.com. Get the user's password.
Read document about registering an application, register an application named client-1. Get the client-id: ${CLIENT_1_CLIENT_ID}.
Read document about adding a client secret, add a client secret. Get the client-secret value: ${CLIENT_1_CLIENT_SECRET}.
Read document about adding a redirect URI, add redirect URI: http://localhost:8080/login/oauth2/code/.
Read document about registering an application, register an application named resource-server-1. Get the client-id: ${RESOURCE_SERVER_1_CLIENT_ID}.
Read document about adding a client secret, add a client secret. Get the client-secret value: ${RESOURCE_SERVER_1_CLIENT_SECRET}.
Read document about adding a redirect URI, add redirect URI: http://localhost:8080/login/oauth2/code/.
Read document about exposing an api, expose 2 scopes for resource-server-1: resource-server-1.scope-1 and resource-server-1.scope-2, choose Admins and users for Who can consent option.
Read document about Application manifest, set accessTokenAcceptedVersion to 2.
Read document about registering an application, register an application named resource-server-2. Get the client-id: ${RESOURCE_SERVER_2_CLIENT_ID}.
Read document about exposing an api, expose 2 scopes for resource-server-2: resource-server-2.scope-1 and resource-server-2.scope-2, choose Admins and users for Who can consent option.
Read document about Application manifest, set accessTokenAcceptedVersion to 2.
Read document about exposing an api, pre-authorize resource-server-1 to access resource-server-2.
- Open sample application: client, fill the placeholders in application.yml, then run the application.
- Open sample application: resource-server-1, fill the placeholders in application.yml, then run the application.
- Open sample application: resource-server-2, fill the placeholders in application.yml, then run the application.
- Open browser(for example: Edge), close all InPrivate window, and open a new InPrivate window.
- Access http://localhost:8080, it will return login page.
- Input username and password (update password if it requests you to), it will return Hello, this is client-1., which means user log in successfully.
- Access http://localhost:8080/resource-server-1, it will return Hello, this is resource-server-1., which means client can access resource-server-1.
- Access http://localhost:8080/resource-server-1/resource-server-2, it will return Hello, this is resource-server-2., which means resource-server-1 can access resource-server-2.