Compilation error in Line 125 and Line 126 of BasicFilter.java without making any changes to rest of code

Line 125 for (String key : httpRequest.getParameterMap().keySet()) {
Error Type mismatch: cannot convert from element type Object to String

Line 126 params.put(key, httpRequest.getParameterMap().get(key)[0]);
Error The type of the expression must be an array type but it resolved to Object
}

Can you please look into the above?

I tried this sample, and got an error bellow:
ERROR PAGE!
Exception - java.io.IOException: Server returned HTTP response code: 403 for URL: https://graph.windows.net/XXXXXXXXXX.onmicrosoft.com/users?api-version=2013-04-05

it seems SSO was successful but throws Exception at getUsernamesFromGraph.

Any suggestions ?

Hi,

I followed all the steps, when I click "Show users in the tenant", I logged in with correct username/password, but got the following error:

AADSTS50011: The reply address 'http://40.125.214.109:8080/adal4jsample/secure/aad' does not match the reply addresses configured for the application: 'e7600f19-2ec1-43c3-ad45-18bce3371553'. More details: not specified.

I set the "Reply URLs" in Azure portal, as "http://40.125.214.109:8080/adal4jsample/".

Any hints?

The app registration section will be out of date once App registrations (Legacy) is no longer usable. Can the walk-through be updated to use the new App registrations functionality?

I am working on Azure AD interactive login from my webapp. When a user logs in to my site he is redirected to the Azure login page, authenticated and returned to my site. This process involves a request to login.windows.net which redirects my browser to login.microsoftonline.com(which does the authentication). However I am getting a cors issue which states that redirect to login.microsoftonline.com has been blocked doe to no "Access Control Allow Origin" header from the requested source. I know it is possible to add this header when the requested resource is in my webapp, but in this case its not. My question is if login.microsoftonline.com doesn't return the header which causes this, how can I handle this issue from my webapp? Below is the error on my browser console.

XMLHttpRequest cannot load https://login.windows.net/<tenant_name>/oauth2/authorize?…......-4129-adea- ccdcbdeaa80e&nonce=c962fb8a-3c8c-4dec-9fbc-4f2fb8fcfde1.
Redirect from 'https://login.windows.net/<tenant_name>/oauth2/authorize?…......-4129-adea-ccdcbdeaa80e&nonce=c962fb8a-3c8c-4dec-9fbc-4f2fb8fcfde1'
to 'https://login.microsoftonline.com/<tenant_name>/oauth2/au….......-4129-adea-ccdcbdeaa80e&nonce=c962fb8a-3c8c-4dec-9fbc-4f2fb8fcfde1'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://my_host' is therefore not allowed access.

With this set up, I think login request should originate from one specific URL. Any other URL will fail. The URL should be the one set on azure admin panel.

Hi

I would like to test the app in Weblogic server, however I´m getting an exception:
com.nimbusds.jwt.JWT.getJWTClaimsSet()Lcom/nimbusds/jwt/ReadOnlyJWTClaimsSet;

I´m able to deploy the war successfully, click on Show users in the tenant, write my credentials and submit them. After that, the exception above is shown.

Any idea?

When I test this code and click "Show users in tenant" one of the requests go to https://login.microsoftonline.com/tenantName/oauth2/authorize?response_type=code&scope=openid&response_mode=form_post&redirect_uri=https%3A%2F%2F10.62.137.70%2Fadal4jsample%2Fsecure%2Faad&client_id=266b8761-10e3-472c-828c-e18ee1d9bcd1&resource=https%3a%2f%2fgraph.windows.net&state=57251d61-0ab7-4694-b228-c7bf5dfa453a&nonce=4b22a3ac-6658-4fa3-b49d-15f69e37dfc3

This request is giving me a "Failed to validate data received from Authorization service - could not validate state" error on the browser.

/C:/src/active-directory-java-webapp-openidconnect/src/main/java/com/microsoft/aad/adal4jsample/User.java:[30,33] package javax.xml.bind.annotation does not exist
[ERROR] /C:/src/active-directory-java-webapp-openidconnect/src/main/java/com/microsoft/aad/adal4jsample/User.java:[38,2] cannot find symbol
symbol: class XmlRootElement

When I click "Show users in the tenant" and log in, I still get a 403 error ava.io.IOException: Server returned HTTP response code: 403 for URL: https://graph.microsoft.com/v1.0/users.

I think I've done everything from the instructions. In the portal, API permissions, I added Microsoft Graph Application permission for Directory.Read.All, and Granted admin consent for Default Directory so there's a green checkbox.

If I go to the owners page, I am the app owner, and I have role Global Administrator in my tenant.

The few things I'm not sure about: in web.xml, where we enter the tenant, the tenant can't possibly be the crazy Directory(tenant) ID which looks like a client ID or client secret, but the tenant is instead a value likely ending in onmicrosoft.com?

Also, I don't have a place for a sign-on URL or App ID URI in Azure...not sure if this is playing a role.

In the Authentication Tab of the App registration, I don't need any implicit grant selection (Access tokens or ID tokens), and under Default client type, I should NOT treat application as a public client (since this is required where a redirect URI is not used)?

Any other ideas?

Thanks so much,
Sam

I went to AD > appplications > myApp and generated a 1 year key. But when I put this in my web.xml I get 403 errors in the sample app. Is this not the key I am looking for?

Hello,
I am experiencing this problem when I try to recover users from my Azure AD. I also tried "https://graph.windows.net/tenant/users?api-version=1.6" which does not work either, Would you have an idea to give me?
Best regards,
Pierre.

When i am trying to use aquretoken () - geting 401 error. I have registered appservice in Active Directory properly.

Friends please give me guidance

Can this library be used to authenticate against on-prem OIDC server.

Currently when we use this library this is the flow that followed.

1. User hits www.myapp.com
2. Since user is not authenticated, will redirected to Microsoft login page <>
3. User enters email id and user is redirected to on prem OIDC end point - (Azure AD is configured this way) oidc-prod.mycorp.com
4. user enters username and password, gets authenticated, and redirected back to myapp.

We would like to skip step 2 and directly redirect to on-pre OIDC server? (apps can access this end point)

App is hosted in azure AKS.

Sample URL before authentication
http://localhost:8080/openTransfer.htm?reqId=T123

After authentication redirect, the parameter reqId=T123 is chopped leaving only http://localhost:8080/openTransfer.htm

Can you please look into this?

Note: this issue does not related directly to this sample but I was asked in the Azure forum to head here, select the sample that best matched my implementation (which would be this one) and report an issue on it.

Background
I work with a Java based product that has support for authenticating users using OpenID Connect. It's a general OIDC implementation and not something AAD specific, and therefore does not use the ADAL4J library. The integration works well with a lot of providers, and has been working well with AAD as well until just a few days ago when the Token Endpoint started returning 401:s.

Summary
It turns out that the AAD Token Endpoint no longer expects the client ID and the client secret to be application/x-www-form-urlencoded before being used as username and password when using the client_secret_basic authentication method.

Expected behavior:
That client_secret_basic authentication (which is listed among the supported token endpoint authentication methods in the discovery document) works according to the above.

Actual behavior:
AAD expects non-URL encoded client ID and client secret to be used as username and password when using the client_secret_basic authentication method.

Justification

• The OIDC specification states that Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 RFC6749 using the HTTP Basic authentication scheme.
• Section 2.3.1 of RFC 6749 states that The client identifier is encoded using the "application/x-www-form-urlencoded" encoding algorithm per Appendix B, and the encoded value is used as the username; the client password is encoded using the same algorithm and used as the password.
• Appendix B of RFC 6749 states that names and values MUST be encoded using the UTF-8 character encoding scheme RFC3629 first; the resulting octet sequence then needs to be further encoded using the escaping rules defined in W3C.REC-html401-19991224.

Note that the current behavior of our application has been working with AAD for a few years, and still works against other providers such as Google.

Our application also supports client_secret_form (which seems to be the method used by the ADAL4J library) but it will not use it without manual configuration in this case since the client_secret_basic method is listed as supported.

Hi
I ran the sample and got this error

There are many proxy setting in our product. Azure cloud is one of them.The adal4j should provide the function to set the proxy credential, and not to use the properties in JVM.AWS SDK and vCloud SDK have the similar function to set the proxy credential.

If not, could you please provide work-around way for us?

Thanks

--

I am running the exact code provided over here. I have only changed the attributes in the web.xml. When I am logged in as a user and I click the "Show users in tenant" button I get the following error on the web browser. I have provided the Read Directory Data permission for my app that is registered in Azure.

AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

On a production server, it gets into an infinite loop after signing.

For step 8 of Register the app app (Webapp-Openidconnect)
The Redirect URIs, should we put it http://localhost:8080/adal4jsample/secure/aad ?
It seems if I keep the original one https://localhost:8000/adal4jsample/secure/aad, I will get
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: error.
While if I change it to http://localhost:8080/adal4jsample/secure/aad, the program can run.

Hi, do you have an example where you integrate Azure AD into a Java web application using Service Principal? I am looking to embed PowerBI report in a Java web application. Thanks.

Hi
I ran this sample and got this error

Exception in thread "main" java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50079: The user is required to use multi-factor authentication.\r\nTrace ID: e64a62a5-d785-495c-80bf-f08ecf5c0d00\r\nCorrelation ID: 0a47406b-0f6e-4fd8-a531-cbe6c15a729e\r\nTimestamp: 2018-12-13 01:03:36Z","error":"interaction_required"}
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at PublicClient.getAccessTokenFromUserCredentials(PublicClient.java:49)
at PublicClient.main(PublicClient.java:30)
Caused by: com.microsoft.aad.adal4j.AdalClaimsChallengeException: {"error_description":"AADSTS50079: The user is required to use multi-factor authentication.\r\nTrace ID: e64a62a5-d785-495c-80bf-f08ecf5c0d00\r\nCorrelation ID: 0a47406b-0f6e-4fd8-a531-cbe6c15a729e\r\nTimestamp: 2018-12-13 01:03:36Z","error":"interaction_required"}
at com.microsoft.aad.adal4j.AdalTokenRequest.executeOAuthRequestAndProcessResponse(AdalTokenRequest.java:116)
at com.microsoft.aad.adal4j.AuthenticationContext.acquireTokenCommon(AuthenticationContext.java:968)
at com.microsoft.aad.adal4j.AuthenticationContext.access$100(AuthenticationContext.java:69)
at com.microsoft.aad.adal4j.AuthenticationContext$1.call(AuthenticationContext.java:179)
at com.microsoft.aad.adal4j.AuthenticationContext$1.call(AuthenticationContext.java:168)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

I am not sure if any other configuration is needed in the code. Also the AAD settings in my portal doesnt allow me to add new user account. Do i have to open request for that or is there a test account which could be used?

There is wrong or outdated info in README file:
Step 3 -> Register the app app (Webapp-Openidconnect) -> 10th point:

Then, click on Select Permissions and select Directory.Read.All.

I can't find such thing as Directory.Read.All, there are a lot of checkboxes. I've checked them all and demo works fine, but maybe I had to check only one permission that is renamed now?

I have run the application and able to go to home page but on click of show users getting exception

and as i debugged the method which specifies it is there in the jar and jar is in build path still it throws method not found erron

There is an extra step missing in the instructions.

Read Directory requires Admin consent before it can talk to Graph API.
You will get a 403 forbidden error.

To force an admin consent you need do something like this:
https://login.microsoftonline.com/nicksdemodir.onmicrosoft.com/oauth2/authorize?client_id=40dba662-4c53-4154-a5cf-976473306060&response_type=code&redirect_uri=sample://callback&nonce=1234&resource=https://graph.windows.net&prompt=admin_consent

1. Make sure you are logged out of your browser.
2. goto the authenticate URL try to login.
3. This will show the login screen with the Login URL.
4. add "&prompt=admin_consent" to the end of the URL and reload
5. Accept Consent and you are good to go.

This will force you to consent to the app talking to the Graph API.
Then it will work for everyone.