Which authentication provider to use when in a java app running behind azure app service easy auth?

[bryanidsts]

I'm trying to call GraphServiceClient from a java web app in an azure app service using easy auth. I can call https://graph.microsoft.com/oidc/userinfo with Bearer [x-ms-token-aad-access-token] and it works fine. I've tried DefaultAzureCredential, OnBehalfOfCredential, and AuthorizationCodeCredention, all just throw the error "Error executing the request". Can someone point me in the right direction? @g2vinay @billwert @alzimmermsft @vhvb1989 @baywet

[baywet]

Did you come across this documentation article?

[vhvb1989]

I am curious about this: String tenantId = System.getenv("WEBSITE_AUTH_OPENID_ISSUER").split("/", 5)[3];
Where are you getting this value from?
Is it the tenantId for the app-registration? It usually doesn't need a split() on it

[bryanidsts]

That header has "https://sts.windows.net/TENANTID/v2.0" so that just gives me the tenantid of the app registration out of it yeah
I do believe I found what I was missing
https://gist.github.com/cgillum/bc465bc86274e07cec61299746b99a42
Azure/azure-sdk-for-js#22937 (comment)

[bryanidsts]

Yeah that didn't help, trying the code examples from those links just returns AADSTS50013: Assertion failed signature validation. [Reason - Key was found, but use of the key to verify the signature failed. I have to figure out how GraphServiceClient actually calls https://graph.microsoft.com/v1.0/me and how to inject my existing token as the bearer.

[bryanidsts]

@baywet looks like you asked for exactly this before :)

[bryanidsts]

@baywet ok I think I'm just going to try to implement my own authorizationprovider so I can inject the x-ms-token-aad-access-token directly into the library...

[billwert]

Hey @bryanidsts, can you enable logging and share what comes out?

[bryanidsts]

So I modified my app service config and set AZURE_LOG_LEVEL to debug
Loaded my website again
So now where do I go for the logs? I tried going in my app service to monitoring > Logs and querying AppServiceConsoleLogs, nothing

[vhvb1989]

Are you using https://graph.microsoft.com/oidc/userinfo -> oidc ?

Have you tried using https://graph.microsoft.com/v1.0/me ? You can see all the endpoints from the graph explorer: https://developer.microsoft.com/en-us/graph/graph-explorer

It will tell you what are the required modify permissions that you need for your app-registration.

Also, when you say GraphServiceClient, are you referring to the msgraph sdk? https://github.com/microsoftgraph/msgraph-sdk-java#23-get-a-graphserviceclient-object ?

[meyerovb]

Yes I got both urls to work, see #34177 (reply in thread)

Yes I’m trying to use that class from that sdk. I just have no idea how to do that with the x-ms-token-aad-access-token header. Which tokencredential type should I be using?

[bryanidsts]

@cgillum I tried your method from here but it just returned AADSTS50013: Assertion failed signature validation. [Reason - Key was found, but use of the key to verify the signature failed. Any feedback on how to actually use the x-ms-token-aad-access-token to call microsoft graph in java?

[meyerovb]

@billwert @baywet @vhvb1989 thank you all so much for your help, it was very nice to have some of the Microsoft team helping me through this headache. I now fully understand what’s going on here and have explained it all in a feature request for the Java graph sdk. Thanks again!

[NBI098]

It sounds like you're having trouble with authentication while using Azure App Service Easy Auth with Microsoft Graph API in your Java app. Since you're able to call the userinfo endpoint with the Bearer token, it seems like the token is valid, but the credentials you're using might not be aligned with the authentication flow for your scenario.

Try using ClientSecretCredential or InteractiveBrowserCredential if you're using a client app with client credentials flow. Alternatively, for on-behalf-of authentication, OnBehalfOfCredential should work, but ensure your app is properly configured with the necessary permissions in Azure AD.

Additionally, ensure that the token you’re using for AuthorizationCodeCredential or other flows has the correct scope and audience. It might also be helpful to check that your x-ms-token-aad-access-token is valid for the specific app context you're trying to access.

For reference, you could try a simple flow with NBI CLEARANCE token validation in your app first to troubleshoot.

[hashamkhalid559]

Hey GitHub community,

With the increasing risks of cyber threats and vulnerabilities, securing web applications is more critical than ever. Whether you're managing a business website, an e-commerce platform, or a client portal, implementing strong security measures can prevent data breaches and unauthorized access.

Key Security Practices:
🔹 Use HTTPS & SSL Certificates – Encrypt data transmission to prevent interception.
🔹 Implement Strong Authentication – Use multi-factor authentication (MFA) for added protection.
🔹 Regular Security Audits – Conduct vulnerability scans and penetration testing.
🔹 Keep Software Updated – Outdated plugins and software are common entry points for attackers.
🔹 Secure Hosting & Backups – Ensure your hosting provider follows best security practices and maintains frequent backups.

For businesses in Australia, especially in Melbourne, having professional security monitoring is essential not just for digital assets but also for physical locations. If you need on-site security solutions, including mobile patrol services and construction site security, our team ensures 24/7 protection for businesses.

Would love to hear how you all handle security best practices in your projects. What tools or frameworks do you rely on for securing web apps? Let’s discuss! 🚀