Hi,
I am constructing an application that will use AAD for single sign on and authorisation. I have constructed a test bed web application that is able to successfully authenticate me using the @AzureAuthenticationDefinition annotation:
@AzureAuthenticationDefinition(
providerURI = "https://login.microsoftonline.com/**REDACTED**/v2.0/",
tenantId="**REDACTED**",
clientId = "**REDACTED**",
clientSecret = "**REDACTED**",
redirectURI = "${baseURL}/Callback"
)
public class SecurityConfig {
}
Now, I want to use a password alias to protect the clientSecret. I have saved the secret in the console under an alias called appsecret. I have tried changing the client secret thus:
clientSecret = "${ALIAS=appsecret}",
but I then get this in the server log:
Error occurred in validating Authorization Code : invalid_client caused by AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '**REDACTED**'.
and the secued page then refuses to load.
If I use @ConfigProperty on a bean:
import javax.inject.Inject;
import javax.inject.Named;
import org.eclipse.microprofile.config.inject.ConfigProperty;
@Named
public class ConfigBean {
@Inject
@ConfigProperty(name = "appsecret")
private String secret;
public String getSecret() {
return secret;
}
public ConfigBean() {
}
}
…then include the microprofile library, and use a bean expression:
clientSecret = "#{configBean.secret}",
this works, but it feels like I am increasing the attack surface on my application, by having a bean that exposes the secret.
Can anyone help me here? Should ALIAS substitution work in this context? Do the depedencies / classpath have an impact on this? Currently I have:
javaee-api-8.0.jar
microprofile-config-api-2.0.jar
payara-api-5.2022.2.jar
activation-1.1.jar
javax.mail-1.6.0.jar
security-connectors-api-2.3.0.jar
Thanks