How to validate access_token(Azure AD OAuth 2.0) in web API?

Question

I am using Azure AD OAuth 2.0 authorization flow for my Spring Boot Microservices + Angular2 application.
Flow of my application

1. (1st request to my Spring Boot application from frond-end) Spring boot application redirect it Azure login page.
2. User enters his credentials
3. Authorization server sends POST request to redirect_uri, this request have the authorization_code along with other user info(like first name, last name and user id).
4. Then I get bearer token and refresh_token using authorization_code

Now I want to sent bearer_token to other microservice which will validate the bearer_token.

My question is how can validate bearer_token and retrieve the owner of that token in other microservices ?

Answer 1

I assume that you use the default configuration for Azure AD OAuth 2.0 which returns JWT-encoded tokens. There are few benefits of this type of tokens - you could extract information such as granted scopes from the token itself and you could avoid sending a validation request to the Authorization server by checking the token signature.

Configuring JWT token validation

You would need to configure Resource server (your Web API) to use the JWT tokens:

@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(ResourceServerSecurityConfigurer config) {
        config.tokenServices(tokenServices());
    }
 
    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }
 
    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setVerifierKey(obtainAzureADPublicKey());
        return converter;
    }
 
    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }
 }

This code (with small modification) was taken from the excellent blog post by Eugen Paraschiv (aka Baeldung).

Obtaining Azure signing key

You would need to get an asymmetric public encryption key that the Azure AD uses to sign the issued tokens and return it from the obtainAzureADPublicKey method.

Based on the documentation you would have to first obtain the meta-info about the JWT signature key endpoint from https://login.microsoftonline.com/common/.well-known/openid-configuration (by retrieving the value of "jwks_uri" property from the result).

Then you would need to obtain the proper key from that URL.

Note that Azure AD changes this information from time to time so you cannot do it only once at the startup of your application. However, caching it for at least 24 hours would be a good idea.

Answer 2

Basically the one who generated the access token should be responsible for validating it which is usually the authorization server, I understand Azure is your authorization server so there where you should validate your token