[FEATURE REQ] Sign-in for multi tenant and personal accounts and authorized-client to access resource server in my tenant

Query/Question Hello,

I have a single page frontend application and a backend serving it with an active directory configured using the azure starter. It is a multi-tenant application and users from my tenant, external tenants with admin consent and personal Microsoft accounts (live, outlook etc) can sign in.

The configuration looks like this (see tenant-id is set to common to be able to log in to personal Microsoft accounts, the same can be achieved by just omitting this profile.tenant-id property):

  cloud:
    azure:
      active-directory:
        enabled: true
        app-id-uri: api://{my-app-id}
        profile:
          tenant-id: common
        credential:
          client-id: {my-app-id}
          client-secret: {my-app-secret}

Everything work as planned, users from multiple tenants are logging in etc (personal accounts work too).

Now I have another resource server (located in my tenant) that I want to access with my app. Let’s call it API-B. I have got everything configured properly (access to API-B scope from my app registration). Configuration will now look like:

  cloud:
    azure:
      active-directory:
        enabled: true
        app-id-uri: api://{my-app-id}
        profile:
          tenant-id: common
        credential:
          client-id: {my-app-id}
          client-secret: {my-app-secret}
        authorization-clients:
          api-b-client:
            authorization-grant-type: client_credentials
            scopes: api://{api-b-app-id}/.default

But adding an authorization-clients with scope to this API-B will give me:

Specified tenant identifier ‘{api-b-app-id}’ is neither a valid DNS name nor a valid external domain.

When I set profile.tenant-id property with mine tenant value, authorized-client for API-B will start working (also authentication for mine tenant’s users and external tenants), but login for users with personal Microsoft accounts will start failing.

Debugging, I see that AadClientRegistrationRepository will wire up all the clients with https://login.microsoftonline.com/common/oauth2/v2.0/authorize in provider details. And this works fine with personal accounts.

But whenever I define my tenant in my profile, all clients will get https://login.microsoftonline.com/{my-tenant-id}/oauth2/v2.0/authorize value which breaks it for users with personal accounts (due to URI for the token is not correct) while authorized-client named api-b-client works as planned cause to it can find an API-B in the specified {my-tenant-id} tenant.

In a past (before a switch to spring-cloud-azure-starter-active-directory) while we were using raw Spring Security, setting jwk.key-set-uri property to https://login.microsoftonline.com/common/discovery/v2.0/keys was solving this issue for us. Example:

  oauth2:
    resource:
      jwk.key-set-uri: https://login.microsoftonline.com/common/discovery/v2.0/keys
      id: <my-app-reg-id>

Any suggestion on how to achieve it? I want to be able to sign in multi-tenant users and users with personal accounts, while also having authorized-client accessing resource server (another app registration) in my tenant.

Why is this not a Bug or a feature Request? Not sure if it is a bug, or not supported feature, or misconfiguration on my side.

Setup (please complete the following information if applicable):

• OS: Windows 10 x64
• IDE: IntelliJ
• Library/Libraries: [spring-cloud-azure-starter-active-directory:4.3.0

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Query Added
• Setup information Added