add scopes for graph and office client in test and sample (#18332)

Azure · Dec 25, 2020 · 45f182f · 45f182f
1 parent 93194df
commit 45f182f
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 98 deletions.
diff --git a/...-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md b/...-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md
@@ -19,16 +19,16 @@ Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develo
 - Ensure **Access tokens** and **ID tokens** are selected.
 - To use on-demand authorization of certain resource, you need to add redirect URIs of `http://localhost:8080/login/oauth2/code/{registration-id}`. In this sample, set redirect URIs with `http://localhost:8080/login/oauth2/code/arm`.
 ### Configure necessary API permissions
-The sample retrieves user's group memberships using Microsoft graph API which requires the registered app to have `Directory.AccessAsUser.All` permission under `Delegated Permissions` of `Microsoft Graph`, which can allow an application to access the directory as the signed-in user. Also, to display the function of calling multiple resources, this sample will acquire `ActivityFeed.Read` permission under `Office 365 Management APIs` resource. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission. You can follow the below steps:	
+The sample retrieves user's group memberships using Microsoft graph API which requires the registered app to have `Directory.AccessAsUser.All`, `User.Read` permission under `Delegated Permissions` of `Microsoft Graph`, which can allow an application to access the directory as the signed-in user. Also, to display the function of calling multiple resources, this sample will acquire `ActivityFeed.Read`, `ActivityFeed.ReadDlp`, `ServiceHealth.Read` permission under `Office 365 Management APIs` resource. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission. You can follow the below steps:	
 
 * In the list of pages for the app, select **API permissions**	
    - Click the **Add a permission** button	
    - Ensure that the **Microsoft APIs** tab is selected	
    - In the *Commonly used Microsoft APIs* section, click on **Microsoft Graph**	
-   - In the **Delegated permissions** section, ensure that the right permissions are checked: **Directory.AccessAsUser.All**	
+   - In the **Delegated permissions** section, ensure that the right permissions are checked: **Directory.AccessAsUser.All**, **User.Read**
    - Select the **Add permissions** button
    - Under **Office 365 Management APIs** tab
-   - Select **Delegated permissions**, and then click **ActivityFeed.Read**
+   - Select **Delegated permissions**, and then click **ActivityFeed.Read**, **ActivityFeed.ReadDlp**, **ServiceHealth.Read**
    - Select the **Add permissions** button
    - Click **Grant Permissions...** and Yes when prompted.
 
@@ -83,4 +83,4 @@ In Azure portal, app registration manifest page, configure `oauth2AllowImplicitF
 ## Next steps
 ## Contributing
 <!-- LINKS -->
-[ready-to-run-checklist]: https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/README.md#ready-to-run-checklist
+[ready-to-run-checklist]: https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/README.md#ready-to-run-checklist
diff --git a/...mples/azure-spring-boot-sample-active-directory-webapp/src/main/resources/application.yml b/...mples/azure-spring-boot-sample-active-directory-webapp/src/main/resources/application.yml
@@ -5,9 +5,14 @@ azure:
         on-demand: true
         scopes: https://management.core.windows.net/user_impersonation
       graph:
-        scopes: https://graph.microsoft.com/Calendars.Read
+        scopes:
+            - https://graph.microsoft.com/User.Read
+            - https://graph.microsoft.com/Directory.AccessAsUser.All
       office:
-        scopes: https://manage.office.com/ActivityFeed.Read
+        scopes:
+            - https://manage.office.com/ActivityFeed.Read
+            - https://manage.office.com/ActivityFeed.ReadDlp
+            - https://manage.office.com/ServiceHealth.Read
     client-id: <client-id>
     client-secret: <client-secret>
     tenant-id: <tenant-id>

diff --git a/...-spring-boot-test-aad/src/test/java/com/azure/test/aad/selenium/RefreshTokenScopesIT.java b/...-spring-boot-test-aad/src/test/java/com/azure/test/aad/selenium/RefreshTokenScopesIT.java
diff --git a/...-aad/src/test/java/com/azure/test/aad/selenium/accessTokenScopes/AccessTokenScopesIT.java b/...-aad/src/test/java/com/azure/test/aad/selenium/accessTokenScopes/AccessTokenScopesIT.java
@@ -0,0 +1,92 @@
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.test.aad.selenium.accessTokenScopes;
+
+import com.azure.test.aad.selenium.SeleniumTestUtils;
+import com.azure.test.utils.AppRunner;
+import org.junit.Assert;
+import org.junit.Test;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.*;
+
+public class AccessTokenScopesIT {
+
+    @Test
+    public void testAccessTokenScopes() {
+        try (AppRunner app = new AppRunner(DumbApp.class)) {
+            SeleniumTestUtils.addProperty(app);
+            app.property("azure.activedirectory.authorization.office.scopes", "https://manage.office.com/ActivityFeed.Read , https://manage.office.com/ActivityFeed.ReadDlp , https://manage.office.com/ServiceHealth.Read");
+            app.property("azure.activedirectory.authorization.graph.scopes", "https://graph.microsoft.com/User.Read , https://graph.microsoft.com/Directory.AccessAsUser.All");
+            List<String> endPoints = new ArrayList<>();
+            endPoints.add("accessTokenScopes/azure");
+            endPoints.add("accessTokenScopes/office");
+            endPoints.add("accessTokenScopes/graph");
+            endPoints.add("accessTokenScopes/arm");
+            Map<String, String> result = SeleniumTestUtils.get(app, endPoints);
+
+            Assert.assertFalse(result.get("accessTokenScopes/office").contains("profile"));
+            Assert.assertTrue(result.get("accessTokenScopes/office").contains("https://manage.office.com/ActivityFeed.Read"));
+            Assert.assertTrue(result.get("accessTokenScopes/office").contains("https://manage.office.com/ActivityFeed.ReadDlp"));
+            Assert.assertTrue(result.get("accessTokenScopes/office").contains("https://manage.office.com/ServiceHealth.Read"));
+
+            Assert.assertTrue(result.get("accessTokenScopes/azure").contains("profile"));
+            Assert.assertTrue(result.get("accessTokenScopes/azure").contains("https://graph.microsoft.com/Directory.AccessAsUser.All"));
+            Assert.assertTrue(result.get("accessTokenScopes/azure").contains("https://graph.microsoft.com/User.Read"));
+
+            Assert.assertTrue(result.get("accessTokenScopes/graph").contains("profile"));
+            Assert.assertTrue(result.get("accessTokenScopes/graph").contains("https://graph.microsoft.com/Directory.AccessAsUser.All"));
+            Assert.assertTrue(result.get("accessTokenScopes/graph").contains("https://graph.microsoft.com/User.Read"));
+
+            Assert.assertNotEquals("error", result.get("api/arm"));
+        }
+    }
+
+    @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
+    @SpringBootApplication
+    @RestController
+    public static class DumbApp {
+
+        @GetMapping(value = "accessTokenScopes/office")
+        public Set<String> office(
+            @RegisteredOAuth2AuthorizedClient("office") OAuth2AuthorizedClient authorizedClient) {
+            return Optional.of(authorizedClient)
+                .map(OAuth2AuthorizedClient::getAccessToken)
+                .map(OAuth2AccessToken::getScopes)
+                .orElse(null);
+        }
+
+        @GetMapping(value = "accessTokenScopes/azure")
+        public Set<String> azure(
+            @RegisteredOAuth2AuthorizedClient("azure") OAuth2AuthorizedClient authorizedClient) {
+            return Optional.of(authorizedClient)
+                .map(OAuth2AuthorizedClient::getAccessToken)
+                .map(OAuth2AccessToken::getScopes)
+                .orElse(null);
+        }
+
+        @GetMapping(value = "accessTokenScopes/graph")
+        public Set<String> graph(
+            @RegisteredOAuth2AuthorizedClient("graph") OAuth2AuthorizedClient authorizedClient) {
+            return Optional.of(authorizedClient)
+                .map(OAuth2AuthorizedClient::getAccessToken)
+                .map(OAuth2AccessToken::getScopes)
+                .orElse(null);
+        }
+
+        @GetMapping(value = "accessTokenScopes/arm")
+        public String arm(
+            @RegisteredOAuth2AuthorizedClient("arm") OAuth2AuthorizedClient authorizedClient) {
+            return "error";
+        }
+    }
+
+}
diff --git a/...m/azure/test/aad/selenium/AADLoginIT.java → ...e/test/aad/selenium/login/AADLoginIT.java b/...m/azure/test/aad/selenium/AADLoginIT.java → ...e/test/aad/selenium/login/AADLoginIT.java
@@ -1,8 +1,9 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.test.aad.selenium;
+package com.azure.test.aad.selenium.login;
 
+import com.azure.test.aad.selenium.SeleniumTestUtils;
 import com.azure.test.utils.AppRunner;
 import org.junit.Assert;
 import org.junit.Test;