Security improvements in Spring Cloud Azure AAD

[rujche]

This pull request introduces breaking changes to Azure Active Directory (AAD) resource server configuration in the Spring Cloud Azure autoconfigure module, primarily strengthening security by requiring explicit tenant configuration and enforcing audience validation by default. The changes also update related tests and documentation to reflect these new requirements.

Breaking changes to AAD resource server configuration:

• The resource server now requires spring.cloud.azure.active-directory.profile.tenant-id to be set to a specific, non-reserved tenant ID. Using empty, common, organizations, or consumers values will cause application startup to fail with an IllegalArgumentException. [1]], [2]])
• The AadAuthenticationFilter now enables explicit audience validation by default. JWT tokens must have an aud claim matching either the configured client ID or App ID URI; tokens for other audiences are rejected. [1]], [2]], [3]])

Security improvements:

• The JWT issuer validator (AadJwtIssuerValidator) now strictly checks that the issuer is in the trusted set for the configured tenant, removing fallback to broad Microsoft endpoints. ([sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/jwt/AadJwtIssuerValidator.javaL21-R37])
• The resource server's default validators now include a tenant ID (tid) claim check and use the trusted issuer repository for issuer validation. ([sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfiguration.javaR70-R113])

Documentation and error messaging:

• The changelog and exception messages are updated to clearly communicate the new requirements and error scenarios. [1]], [2]])

Test updates:

• Unit tests and context runners are updated to require an explicit tenant ID in their property values, ensuring test coverage for the new validation logic. [1]], [2]], [3]], [4]])

These changes enforce best security practices for OAuth2/OIDC resource servers and prevent misconfiguration or cross-application token acceptance.

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[Copilot]

Pull request overview

This PR tightens default AAD JWT validation behavior in spring-cloud-azure-autoconfigure by enforcing tenant-aware issuer validation for single-tenant resource servers and enabling explicit audience validation by default in AadAuthenticationFilter.

Changes:

• Wire AadResourceServerConfiguration issuer validation to use AadTrustedIssuerRepository for single-tenant tenant IDs while preserving legacy prefix-based issuer validation for common/organizations/consumers.
• Change AadAuthenticationFilter default constructors to enable explicit audience checking by default.
• Add/update tests covering the new default behaviors.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/filter/AadAuthenticationFilter.java	Switch constructor defaults to enable explicit audience validation.
sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfiguration.java	Use trusted-issuer exact matching for single-tenant issuer validation; keep multi-tenant legacy behavior.
sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/filter/AadAuthenticationFilterTests.java	Add tests validating constructor defaults for explicit audience checking.
sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfigurationTests.java	Add tests validating single-tenant vs multi-tenant issuer validator wiring.
sdk/spring/CHANGELOG.md	Document the hardened defaults in changelog.

[rujche]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all three changes from the review thread in commit 3d2b4b46:

1. Import ordering (AadAuthenticationFilterTests.java): Moved ReflectionTestUtils import before the static imports block.
2. Centralized isMultiTenantsApplication (AadAuthenticationProperties): Changed the method to public static so it can be shared, and updated AadResourceServerConfiguration to call AadAuthenticationProperties.isMultiTenantsApplication(tenantId) — removing the duplicate private method.
3. CHANGELOG link (CHANGELOG.md): Fixed the label from [49032] to ([#49033](...)) to match the standard format.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

[rujche]

Ignore the test failure about java - spring - ci (Build Test ubuntu2404_121_NotFromSource_TestsOnly), it's a know issue: #48622

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

[rujche]

@copilot apply changes based on the comments in this thread

[rujche]

@copilot apply changes based on the comments in this thread

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

[rujche]

@copilot apply changes based on the comments in this thread

[rujche]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Fixed in commit 6822bf79. getTrimmedTenantId() now applies .toLowerCase(Locale.ROOT) after .trim(), so an uppercase GUID in configuration is normalized before being used in the tid claim validator and AadTrustedIssuerRepository. A new test testValidateTenantIdNormalizesUppercaseGuid covers the uppercase GUID path.

[Copilot]

@copilot apply changes based on the comments in this thread

Fixed in commit 6822bf79c. getTrimmedTenantId() now applies .toLowerCase(Locale.ROOT) after .trim(), normalizing the configured tenant ID before it is used in the tid claim validator and AadTrustedIssuerRepository. A new test testValidateTenantIdNormalizesUppercaseGuid verifies that an uppercase GUID in configuration is normalized and accepted.

@copilot apply changes based on the comments in this thread

Fixed in commit 6822bf79c. getTrimmedTenantId() now applies .toLowerCase(Locale.ROOT) after .trim(), normalizing the configured tenant ID before it is used in the tid claim validator and AadTrustedIssuerRepository. A new test testValidateTenantIdNormalizesUppercaseGuid verifies that an uppercase GUID in configuration is normalized and accepted.

@copilot apply changes based on the comments in this thread

These changes were already applied in commit 6822bf79. getTrimmedTenantId() now normalizes via trim().toLowerCase(Locale.ROOT), and testValidateTenantIdNormalizesUppercaseGuid covers the uppercase GUID path.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.