Security improvements in Spring Cloud Azure AAD

sdk/spring/CHANGELOG.md

@@ -8,6 +8,7 @@ This section includes changes in `spring-cloud-azure-autoconfigure` module.
 #### Bugs Fixed
 
 - Fixed JDBC/Azure Database and Redis passwordless connection scope defaulting using the wrong `azure.scopes` value for Azure China and Azure US Government when `spring.cloud.azure.profile.cloud-type` is set to `azure_china` or `azure_us_government`. The scopes are now correctly derived from the merged cloud type. ([#47096](https://github.com/Azure/azure-sdk-for-java/issues/47096))
+- Hardened AAD token validation defaults in `spring-cloud-azure-autoconfigure`: resource server issuer validation now enforces tenant-aware trusted issuers for single-tenant configurations, and `AadAuthenticationFilter` now enables explicit audience validation by default. [49032](https://github.com/Azure/azure-sdk-for-java/pull/49033)
 
 ### Spring Cloud Azure Stream Binder Service Bus
 This section includes changes in `spring-cloud-azure-stream-binder-servicebus` module.

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfiguration.java

@@ -8,6 +8,7 @@
 import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadResourceServerProperties;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.AadJwtClaimNames;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadJwtIssuerValidator;
+import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadTrustedIssuerRepository;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.properties.AadAuthorizationServerEndpoints;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
@@ -64,6 +65,7 @@ JwtDecoder jwtDecoder(AadAuthenticationProperties aadAuthenticationProperties) {
     List<OAuth2TokenValidator<Jwt>> createDefaultValidator(AadAuthenticationProperties aadAuthenticationProperties) {
         List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
         List<String> validAudiences = new ArrayList<>();
+        String tenantId = aadAuthenticationProperties.getProfile().getTenantId();
         if (StringUtils.hasText(aadAuthenticationProperties.getAppIdUri())) {
             validAudiences.add(aadAuthenticationProperties.getAppIdUri());
         }
@@ -73,11 +75,21 @@ List<OAuth2TokenValidator<Jwt>> createDefaultValidator(AadAuthenticationProperti
         if (!validAudiences.isEmpty()) {
             validators.add(new JwtClaimValidator<List<String>>(AadJwtClaimNames.AUD, validAudiences::containsAll));
         }
-        validators.add(new AadJwtIssuerValidator());
+        if (isMultiTenantsApplication(tenantId)) {
+            validators.add(new AadJwtIssuerValidator());
+        } else {
+            validators.add(new AadJwtIssuerValidator(new AadTrustedIssuerRepository(tenantId)));
+        }
         validators.add(new JwtTimestampValidator());
         return validators;
     }
 
+    private boolean isMultiTenantsApplication(String tenantId) {
+        return "common".equalsIgnoreCase(tenantId)
+            || "organizations".equalsIgnoreCase(tenantId)
+            || "consumers".equalsIgnoreCase(tenantId);
+    }
+
     @EnableWebSecurity
     @EnableMethodSecurity
     @ConditionalOnDefaultWebSecurity

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/filter/AadAuthenticationFilter.java

@@ -69,7 +69,7 @@ public AadAuthenticationFilter(AadAuthenticationProperties aadAuthenticationProp
                 endpoints,
                 aadAuthenticationProperties,
                 resourceRetriever,
-                false
+                true
             ),
             restTemplateBuilder
         );
@@ -97,7 +97,7 @@ public AadAuthenticationFilter(AadAuthenticationProperties aadAuthenticationProp
                 endpoints,
                 aadAuthenticationProperties,
                 resourceRetriever,
-                false,
+                true,
                 jwkSetCache
             ),
             restTemplateBuilder

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/configuration/AadResourceServerConfigurationTests.java

@@ -4,6 +4,7 @@
 
 import com.azure.identity.extensions.implementation.template.AzureAuthenticationTemplate;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadAuthenticationProperties;
+import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadJwtIssuerValidator;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadResourceServerHttpSecurityConfigurer;
 import com.azure.spring.cloud.autoconfigure.implementation.context.AzureGlobalPropertiesAutoConfiguration;
 import com.nimbusds.jwt.proc.JWTClaimsSetAwareJWSKeySelector;
@@ -94,6 +95,44 @@ void testExistAudienceDefaultValidator() {
             });
     }
 
+    @Test
+    void testSingleTenantUsesTrustedIssuerRepository() {
+        resourceServerContextRunner()
+            .withPropertyValues("spring.cloud.azure.active-directory.enabled=true")
+            .run(context -> {
+                AadAuthenticationProperties properties = context.getBean(AadAuthenticationProperties.class);
+                AadResourceServerConfiguration bean = context.getBean(AadResourceServerConfiguration.class);
+                List<OAuth2TokenValidator<Jwt>> defaultValidator = bean.createDefaultValidator(properties);
+
+                AadJwtIssuerValidator issuerValidator = (AadJwtIssuerValidator) defaultValidator.stream()
+                    .filter(AadJwtIssuerValidator.class::isInstance)
+                    .findFirst()
+                    .orElseThrow(() -> new IllegalStateException("AadJwtIssuerValidator not found"));
+
+                assertThat(ReflectionTestUtils.getField(issuerValidator, "trustedIssuerRepo")).isNotNull();
+            });
+    }
+
+    @Test
+    void testMultiTenantUsesPrefixIssuerValidation() {
+        resourceServerRunner()
+            .withPropertyValues("spring.cloud.azure.active-directory.enabled=true",
+                "spring.cloud.azure.active-directory.profile.tenant-id=common",
+                "spring.cloud.azure.active-directory.app-id-uri=fake-app-id-uri")
+            .run(context -> {
+                AadAuthenticationProperties properties = context.getBean(AadAuthenticationProperties.class);
+                AadResourceServerConfiguration bean = context.getBean(AadResourceServerConfiguration.class);
+                List<OAuth2TokenValidator<Jwt>> defaultValidator = bean.createDefaultValidator(properties);
+
+                AadJwtIssuerValidator issuerValidator = (AadJwtIssuerValidator) defaultValidator.stream()
+                    .filter(AadJwtIssuerValidator.class::isInstance)
+                    .findFirst()
+                    .orElseThrow(() -> new IllegalStateException("AadJwtIssuerValidator not found"));
+
+                assertThat(ReflectionTestUtils.getField(issuerValidator, "trustedIssuerRepo")).isNull();
+            });
+    }
+
     @Test
     void testResourceServerHttpSecurityConfigured() {
         resourceServerContextRunner()

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/filter/AadAuthenticationFilterTests.java

@@ -10,7 +10,9 @@
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.properties.AadAuthorizationServerEndpoints;
 import com.azure.spring.cloud.autoconfigure.implementation.context.AzureGlobalPropertiesAutoConfiguration;
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.jwk.source.JWKSetCache;
 import com.nimbusds.jose.proc.BadJOSEException;
+import com.nimbusds.jose.util.ResourceRetriever;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -38,6 +40,7 @@
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import org.springframework.test.util.ReflectionTestUtils;
 
 class AadAuthenticationFilterTests {
     private static final String TOKEN = "dummy-token";
@@ -146,4 +149,63 @@ void testAlreadyAuthenticated() throws ServletException, IOException, ParseExcep
         verify(userPrincipalManager, times(0)).buildUserPrincipal(TOKEN);
     }
 
+    @Test
+    void testConstructorEnableExplicitAudienceCheck() {
+        AadAuthenticationProperties properties = mock(AadAuthenticationProperties.class);
+        AadCredentialProperties credentialProperties = new AadCredentialProperties();
+        credentialProperties.setClientId("fake-client-id");
+        credentialProperties.setClientSecret("fake-client-secret");
+        when(properties.getCredential()).thenReturn(credentialProperties);
+        AadProfileProperties profileProperties = new AadProfileProperties();
+        profileProperties.setTenantId("fake-tenant-id");
+        when(properties.getProfile()).thenReturn(profileProperties);
+
+        AadAuthorizationServerEndpoints endpoints = mock(AadAuthorizationServerEndpoints.class);
+        when(endpoints.getJwkSetEndpoint()).thenReturn("file://dummy");
+        ResourceRetriever resourceRetriever = url -> null;
+
+        AadAuthenticationFilter testFilter = new AadAuthenticationFilter(
+            properties,
+            endpoints,
+            resourceRetriever,
+            new RestTemplateBuilder()
+        );
+
+        UserPrincipalManager principalManager = (UserPrincipalManager) ReflectionTestUtils.getField(testFilter,
+            "userPrincipalManager");
+        assertThat(principalManager).isNotNull();
+        assertThat(ReflectionTestUtils.getField(principalManager, "explicitAudienceCheck")).isEqualTo(true);
+    }
+
+    @Test
+    @SuppressWarnings("deprecation")
+    void testConstructorWithJwkSetCacheEnableExplicitAudienceCheck() {
+        AadAuthenticationProperties properties = mock(AadAuthenticationProperties.class);
+        AadCredentialProperties credentialProperties = new AadCredentialProperties();
+        credentialProperties.setClientId("fake-client-id");
+        credentialProperties.setClientSecret("fake-client-secret");
+        when(properties.getCredential()).thenReturn(credentialProperties);
+        AadProfileProperties profileProperties = new AadProfileProperties();
+        profileProperties.setTenantId("fake-tenant-id");
+        when(properties.getProfile()).thenReturn(profileProperties);
+
+        AadAuthorizationServerEndpoints endpoints = mock(AadAuthorizationServerEndpoints.class);
+        when(endpoints.getJwkSetEndpoint()).thenReturn("file://dummy");
+        ResourceRetriever resourceRetriever = url -> null;
+        JWKSetCache jwkSetCache = mock(JWKSetCache.class);
+
+        AadAuthenticationFilter testFilter = new AadAuthenticationFilter(
+            properties,
+            endpoints,
+            resourceRetriever,
+            jwkSetCache,
+            new RestTemplateBuilder()
+        );
+
+        UserPrincipalManager principalManager = (UserPrincipalManager) ReflectionTestUtils.getField(testFilter,
+            "userPrincipalManager");
+        assertThat(principalManager).isNotNull();
+        assertThat(ReflectionTestUtils.getField(principalManager, "explicitAudienceCheck")).isEqualTo(true);
+    }
+
 }