Integrate Hydra Lab test center with Microsoft AAD authentication service

General Guideline for Spring Boot app auth integration: - Secure a Java web app using the Spring Boot Starter for Azure Active Directory.

Scenario: Login account in the browser

1. Add Microsoft authentication before accessing Hydra Lab Pages from the browser.
2. Redirect to the original page before authentication.

Login Flow

Develop Steps

Step1: Register and config an application in Azure

1. Register an application and input redirect url like Web - http://localhost:9886/api/auth, this url will be used later
2. Generate client secret in Certificates & secrets, the secret will be used later
3. Config permission in API permissions, the permission Microsoft Graph--User.Read is needed

Step2: Add interceptor in Hydra Lab

1. Take com.microsoft.devices.network.center.interceptor.BaseInterceptor.java as a reference
2. Add the redirect url in Step1 to accessing whitelist
3. Verify user info by checking the request session
4. Return response that redirect to Microsoft login page directly if access unauthorized(https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&redirect_uri={redirectUri}&response_mode=query&scope=https://graph.microsoft.com/User.Read&state={state})
   • tenant: get it from the application page in Azure: Application - Overview - Directory (tenant) ID
   • clientId: get it from the application page in Azure: Application - Overview - Application (client) ID
   • redirectUri: redirect url set in Step1
   • state: This value will be sent back to Hydra Lab later. Can input the original url user first requested to.

Step3: Login to Microsoft account in browser

1. If login success, Microsoft OAuth platform will send a redirect response to the browser which will request the redirect url in Step1
2. The request will contain two parameters code and state
   • code: Generated by Microsoft OAuth platform. Will become invalid after first using.
   • state: The value inputted in Step2

Step4: Add Auth API in Hydra Lab

1. Take com.microsoft.devices.network.center.controller.AuthController.java as a reference, param code is needed
2. Request accesskey by invoke API https://login.microsoftonline.com/common/oauth2/v2.0/token, the parameters are
   • client_id: Application - Overview - Application (client) ID
   • code: code
   • redirect_uri: redirect url set in Step1
   • grant_type: authorization_code
   • client_secret: generated in Step1
3. Get original url from request by param state in Step3
4. Put user info in session
5. Return response that redirect to the original url.

Additional

1. How to get user profile and photo?

• This is why config permission in Step1
• We can get user info by Graph API
• Some api permission need Admin approve

References

• Sign in Flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-sign-in-flow
• OAuth2 API Doc: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow