Secure a Java web app using the Spring Boot Starter for Azure Active Directory JWT token algorithm problem

I’m created java web application using spring boot starter for azure active directory step by step like is described in:https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory

My application with my azure account work fine when i open localhost:8080 it redirects me to azure where I do the login and then I’m redirected back to my app.

Problem is when i try to configure this dummy app with azure AD account from my customer. Here also when i open my app host app redirects me to azure login and after login i got error like in screenshot

and here is my application.properties

azure.activedirectory.tenant-id=placeholder 

azure.activedirectory.client-id=placeholder 
azure.activedirectory.client-secret=placeholder 
azure.activedirectory.object-id=placeholder 


azure.activedirectory.user-group.allowed-groups=group1 
azure.activedirectory.session-stateless=true


security.oauth2.authorization.token-key-access=permitAll() 
spring.thymeleaf.prefix=classpath:/templates/
spring.thymeleaf.suffix=.html
application.baseurl.logout.redirect=https://mydomain:8081/

application.groups.for.displaying=
application.groups.for.filtering=
server.port=8081



server.ssl.enabled=true 
server.ssl.trust-store=/apps/tomcat/conf/trusted.jks 
server.ssl.trust-store-password=mykeys 


server.ssl.key-store=/apps/tomcat/conf/.keystore 
server.ssl.key-store-password=f213495a0be855c4ab190a1f84cc18cd 
server.ssl.key-store-type=JKS

server.ssl.key-alias=key-dev-ui 
server.ssl.key-password=f213495a0be855c4ab190a1f84cc18cd

my configuration:

 @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors().and().csrf().disable().authorizeRequests().anyRequest().authenticated().and().oauth2Login().and().csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                .and().oauth2Client();
    }

Answer

Please check below points:

1. The issue may arise when the issuer value obtained from token is from different endpoint (v2) than expected.Please make sure to use latest version of spring boot api and check the same to be in dependencies.
2. You need to set the redirect URL as http://localhost:8080/login/oauth2/code/azure or http://localhost:8080/login/oauth2/code/ in the portal.You can configure other value according to your app in place of localhost:8080 .This redirect uri must be configured in your application properties.
3. Make sure to expose api and make sure the permissions are also configured and granted admin consent.

. Give default scope (make sure to add the scope in code)or directly give the scopes present in the app (check in app code) such as User.read ,file.read or offline_access and provide delegated permsissions in portal like below(if those are present in code ).

(or)

and grand admin consent

Also see springboot starter dev guide | ms docs and please check references below.

You may provide other configuration details by editing the question if above are not the cases to investigate further.

References:

1. spring-rest-azure-ad-oauth
2. using-spring-security-with-azure-active-directory-mga