[FIXED] Azure Active Directory Authentication in Vaadin application

Issue

I'm struggling with getting a vaadin spring boot application to play nicely with AAD

I'm on the latest version of all involved libraries/frameworks: spring-boot 2.7.2, vaadin 23.1.6, aad: 4.3.0.

I have the AAD authentication working (using its auto configuration and some properties in application.yaml), but when I try to integrate it with vaadin by using the VaadinWebSecurityConfigurerAdapter it will not take me to the login page.

My configuration is very plain, vaadin is configured using:

@EnableWebSecurity
@Configuration
public class VaadinSecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {
}

And AAD is configured through AadAuthenticationFilterAutoConfiguration the with the following properties:

spring.cloud.azure.active-directory:
        credential:
          client-id: "xxx..."
          client-secret: "yyy..."
        profile:
          tenant-id: "zzz..."

If I access the application in a browser session where I'm already logged in, I can see in the log that it fetches my user detail from aad) but if I start in an incognito window I get a 401 response without being redirected to the AAD login page.

I suspect that the VaadinWebSecurityConfigurerAdapter overwrites some of the configuration that is needed for AAD/Oauth2.

Solution

So I turned trace logging on with the following configuration:

logging:
  level:
    org.springframework.security: trace
    com.azure.spring.cloud: trace
    com.vaadin.flow.spring.security: trace
    com.vaadin.flow.server.auth: trace

and compared log output from running with and without the VaadinWebSecurityConfigurerAdapter and discovered that OAuth2AuthorizationRequestRedirectFilter was not in the filter chain, which lead me to discover that OAuth2LoginConfigurer was not being executed. So I did a little googling and changed my config class to:

@EnableWebSecurity
@Configuration
public class VaadinSecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.oauth2Login();
    }
}

and that seems to have solved my problem, at least for my "Hello world" test application. When I applied the change to my larger application it did not trigger the login flow, which I suspect is due to the security chain accepting the anonymous user as an authenticated one (I'm guessing here and I probably need to do some more testing and debugging to be sure), but after disabling anonymous by changing to:

@Override
public void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http.oauth2Login();
    http.anonymous().key("anyrandomkeywilldo").disable();
}

It sends me to the login page (or fetches the already logged in user from aad) and everything seems to work correctly.

Answered By - Jens Møller
Answer Checked By - Mary Flores (JavaFixing Volunteer)