Add support for Azure China (Azure#18415)

Author: jacko9et

sdk/spring/azure-spring-boot-starter-active-directory/README.md

@@ -159,7 +159,7 @@ Refer to different samples for different authentication ways.
 
 **Note**: `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter` will be deprecated. [Click here](https://github.com/Azure/azure-sdk-for-java/issues/17860) to replace it.
 
-### Authenticate in web apps [Web apps]
+### [Web APP] Authenticate in web app
 Please refer to [azure-spring-boot-sample-active-directory-webapp] for authenticate in web apps.
 
 ####  Configure application.yml:
@@ -188,7 +188,7 @@ public class AADOAuth2LoginConfigSample extends AADWebSecurityConfigurerAdapter
 }
 ```
 
-### Configure scopes of multiple resources [Web apps]
+### [Web APP] Configure scopes of multiple resources
 By default, `azure-spring-boot-starter-active-directory` configures scopes of `openid`, `profile` and `https://graph.microsoft.com/user.read` to implement OpenID Connect protocol and access of membership information of logging in users.
 
 To customize scope configurations of multiple resources, developers need to configure the registration id and scopes in the `application.yml` as needed. Here the {registration-id} is defined by developers themselves to generate correspondding `OAuth2AuthorizedClient` to acquire access tokens, and scope names should follow the specification of `resource-uri/permission`.
@@ -202,7 +202,7 @@ azure:
         scopes: {scope1}, {scope2}
 ``` 
 
-### Configure on-demand resource authorization [Web apps]
+### [Web APP] Configure on-demand resource authorization
 To configure the authorization of certain resource as on-demand, developers need to add following property in `application.yml`:
 ```yaml
 azure:
@@ -213,7 +213,7 @@ azure:
         scopes: {scope1}, {scope2}
 ```
 
-### Protect the resource APIs in resource server [Web APIs]
+### [Web API] Protect the resource APIs in resource server
 Please refer to [azure-spring-boot-sample-active-directory-resource-server] for access resource APIs.
 
 #### Include the package
@@ -250,7 +250,7 @@ public class AADOAuth2ResourceServerSecurityConfig extends WebSecurityConfigurer
 }
 ```
 
-### OAuth 2.0 On-Behalf-Of flow [Web APIs]
+### [Web API] OAuth 2.0 On-Behalf-Of flow
 Please refer [azure-spring-boot-sample-active-directory-resource-server-obo] to for access On-Behalf-Of flow.
 
 #### Include the package
@@ -314,7 +314,7 @@ azure:
  }
 ```
 
-### Authenticate in web APIs [Web APIs]
+### [Web API] (Deprecated) Authenticate in web API by a filter
 Please refer to [azure-spring-boot-sample-active-directory-resource-server-by-filter] for how to integrate Spring Security and Azure AD for authentication and authorization in a Single Page Application (SPA) scenario.
 
 #### Configure application.yml:
@@ -341,7 +341,7 @@ public class AADAuthenticationFilterConfigSample extends WebSecurityConfigurerAd
 * Role-based Authorization with annotation `@PreAuthorize("hasRole('GROUP_NAME')")`
 * Role-based Authorization with method `isMemberOf()`
 
-### Authenticate stateless web APIs using AAD app roles [Web APIs]
+### [Web API] (Deprecated) Authenticate stateless web API by a filter, using AAD app roles
 This scenario fits best for stateless Spring backends exposing an API to SPAs ([OAuth 2.0 implicit grant flow]) or service-to-service access using the [client credentials grant flow].
 The stateless processing can be activated with the `azure.activedirectory.session-stateless` property. The authorization is using the [AAD App Roles feature], so instead of using the `groups` claim the token has a `roles` claim which contains roles [configured in your manifest]. 
 
@@ -395,6 +395,15 @@ public class AADAppRoleStatelessAuthenticationFilterConfigSample extends WebSecu
 
 The roles you want to use within your application have to be [set up in the manifest of your application registration].
 
+### [Web APP & Web API] Use Azure China instead of Azure Global
+If you use [Azure China] instead of **Azure Global**, you need to configure your `application.yml`:
+```yaml
+azure:
+  activedirectory:
+    base-uri: https://login.partner.microsoftonline.cn
+    graph-membership-uri: https://microsoftgraph.chinacloudapi.cn/v1.0/me/memberOf
+```
+
 ## Troubleshooting
 ### Enable client logging
 Azure SDKs for Java offers a consistent logging story to help aid in troubleshooting application errors and expedite their resolution. The logs produced will capture the flow of an application before reaching the terminal state to help locate the root issue. View the [logging][logging] wiki for guidance about enabling logging.
@@ -446,3 +455,4 @@ Please follow [instructions here] to build from source or contribute.
 [refdocs]: https://azure.github.io/azure-sdk-for-java/springboot.html#azure-spring-boot
 [sample]: https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-boot-samples
 [set up in the manifest of your application registration]: https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
+[Azure China]: https://docs.microsoft.com/azure/china/resources-developer-guide#check-endpoints-in-azure

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/webapp/AADWebAppConfiguration.java

@@ -81,7 +81,7 @@ private AzureClientRegistration createDefaultClient() {
             // AAD server will return error if:
             // 1. authorizationCodeScopes have more than one resource server.
             // 2. accessTokenScopes have no resource server
-            accessTokenScopes.add("https://graph.microsoft.com/User.Read");
+            accessTokenScopes.add(properties.getGraphBaseUri() + "User.Read");
         }
         return new AzureClientRegistration(client, accessTokenScopes);
     }
@@ -115,8 +115,8 @@ private Set<String> accessTokenScopes() {
         result.addAll(openidScopes());
         if (properties.allowedGroupsConfigured()) {
             // The 2 scopes are need to get group name from graph.
-            result.add("https://graph.microsoft.com/User.Read");
-            result.add("https://graph.microsoft.com/Directory.AccessAsUser.All");
+            result.add(properties.getGraphBaseUri() + "User.Read");
+            result.add(properties.getGraphBaseUri() + "Directory.AccessAsUser.All");
         }
         return result;
     }

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationProperties.java

@@ -5,9 +5,11 @@
 
 import com.azure.spring.aad.webapp.AuthorizationClientProperties;
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.DeprecatedConfigurationProperty;
 import org.springframework.util.ClassUtils;
+import org.springframework.util.StringUtils;
 import org.springframework.validation.annotation.Validated;
 
 import java.util.ArrayList;
@@ -23,7 +25,7 @@
  */
 @Validated
 @ConfigurationProperties("azure.activedirectory")
-public class AADAuthenticationProperties {
+public class AADAuthenticationProperties implements InitializingBean {
 
     private static final long DEFAULT_JWK_SET_CACHE_LIFESPAN = TimeUnit.MINUTES.toMillis(5);
     private static final long DEFAULT_JWK_SET_CACHE_REFRESH_TIME = DEFAULT_JWK_SET_CACHE_LIFESPAN;
@@ -97,9 +99,11 @@ public class AADAuthenticationProperties {
      */
     private Boolean sessionStateless = false;
 
-    private String baseUri = "https://login.microsoftonline.com/";
+    private String baseUri;
 
-    private String graphMembershipUri = "https://graph.microsoft.com/v1.0/me/memberOf";
+    private String graphBaseUri;
+
+    private String graphMembershipUri;
 
     private Map<String, AuthorizationClientProperties> authorizationClients = new HashMap<>();
 
@@ -277,6 +281,14 @@ public void setBaseUri(String baseUri) {
         this.baseUri = baseUri;
     }
 
+    public String getGraphBaseUri() {
+        return graphBaseUri;
+    }
+
+    public void setGraphBaseUri(String graphBaseUri) {
+        this.graphBaseUri = graphBaseUri;
+    }
+
     public String getGraphMembershipUri() {
         return graphMembershipUri;
     }
@@ -299,4 +311,35 @@ public boolean isAllowedGroup(String group) {
                        .orElseGet(Collections::emptyList)
                        .contains(group);
     }
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+
+        if (!StringUtils.hasText(baseUri)) {
+            baseUri = "https://login.microsoftonline.com/";
+        } else {
+            baseUri = addSlash(baseUri);
+        }
+
+        if (!StringUtils.hasText(graphBaseUri)) {
+            graphBaseUri = "https://graph.microsoft.com/";
+        } else {
+            graphBaseUri = addSlash(graphBaseUri);
+        }
+
+        if (!StringUtils.hasText(graphMembershipUri)) {
+            graphMembershipUri = graphBaseUri + "v1.0/me/memberOf";
+        }
+
+        if (!graphMembershipUri.startsWith(graphBaseUri)) {
+            throw new IllegalStateException("azure.activedirectory.graph-base-uri should be "
+                + "the prefix of azure.activedirectory.graph-membership-uri. "
+                + "azure.activedirectory.graph-base-uri = " + graphBaseUri + ", "
+                + "azure.activedirectory.graph-membership-uri = " + graphMembershipUri + ".");
+        }
+    }
+
+    private String addSlash(String uri) {
+        return uri.endsWith("/") ? uri : uri + "/";
+    }
 }

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AzureADGraphClient.java

@@ -46,7 +46,7 @@
 public class AzureADGraphClient {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(AzureADGraphClient.class);
-    private static final String MICROSOFT_GRAPH_SCOPE = "https://graph.microsoft.com/user.read";
+    private static final String MICROSOFT_GRAPH_SCOPE = "User.Read";
     // We use "aadfeed5" as suffix when client library is ADAL, upgrade to "aadfeed6" for MSAL
     private static final String REQUEST_ID_SUFFIX = "aadfeed6";