Add aad b2c resource server sample (Azure#19511)

Author: ZhuXiaoBing-cn

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-b2c-oidc/README.md

@@ -29,7 +29,7 @@ Follow the guide of [AAD B2C user flows creation](https://docs.microsoft.com/azu
 1. Fill in `${your-tenant-authorization-server-base-uri}` from **Azure AD B2C** portal `App registrations` blade, select **Endpoints**, copy the base endpoint uri(Global cloud format may looks like
 `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com`, China Cloud looks like `https://{your-tenant-name}.b2clogin.cn/{your-tenant-name}.partner.onmschina.cn`). 
 
-    **NOTE**: The `azure.activedirectory.b2c.tenant` has been deprecated. Please `use azure.activedirectory.b2c.base-uri` instead.
+    **NOTE**: The `azure.activedirectory.b2c.tenant` has been deprecated. Please use `azure.activedirectory.b2c.base-uri` instead.
 
 2. Select one registered instance under `Applications` from portal, and then:
     1. Fill in `${your-client-id}` from `Application ID`.

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-b2c-resource-server/README.md

@@ -0,0 +1,102 @@
+# Sample for Azure AD B2C Resource server Spring Boot client library for Java
+
+## Key concepts
+This sample illustrates how to use `azure-spring-boot-starter-active-directory-b2c` package to work in a resource server and valiate tokens. 
+
+1. Constructs trusted iss by configuring tenant id.
+2. Obtain the access token from the HTTP request header.
+3. Analyze access token to `iss` and construct `JwtDecoder` by `AADIssuerJWSKeySelector`.
+4. Use `JwtDecoder` to parse the access token into `Jwt`.
+5. Verify `aud`, `iss`, `nbf`, `exp` claims in access token.
+
+## Getting started
+### Environment checklist
+We need to ensure that this [environment checklist][ready-to-run-checklist] is completed before the run.
+
+### Create and consent Application permissions 
+1. On the **Azure AD B2C** Portal, select the application that requires roles to be added, select **Manifest**.
+2. Find the `appRoles` configuration item, and add the following configuration, then click the **Save** button.
+```json
+  {
+    "allowedMemberTypes": [
+      "Application"
+    ],
+    "description": "Task.read",
+    "displayName": "Task.read",
+    "id": "d2bec026-b75f-418d-9493-8462f54f25d9",
+    "isEnabled": true, 
+    "value": "Test.read"
+  },
+  {
+    "allowedMemberTypes": [
+      "Application"
+    ],
+    "description": "Task.wirte",
+    "displayName": "Task.wirte",
+    "id": "1ab4eeda-d07e-4bce-8f77-b0a84c97c34f",
+    "isEnabled": true,
+    "value": "Test.wirte"
+  }
+```
+
+![Configuration Application Roles](docs/image-configuration-application-roles.png "Configuration Application Roles")
+
+3. Find the application permissions need to use.
+
+![Selected Application](docs/image-selected-application.png "Selected Application")
+![Add Application Roles](docs/image-add-application-roles.png "Add Application Roles")
+
+4. Consent Application permissions.
+
+![Consent Application permissions](docs/image-consent-application-permissions.png "Consent Application permissions")
+
+5. In the end, configuration is as follows.
+   
+![Final Configuration](docs/image-final-configuration.png "Final Configuration")
+
+## Examples
+### Configure the sample
+#### application.yml
+
+```yaml
+# In v2.0 tokens, `aud` is always the client ID of the API, while in v1.0 tokens it can be the app id uri.
+azure:
+  activedirectory:
+    b2c:
+      tenant-id: ${your-tenant-id}
+      app-id-uri: ${your-app-id-uri}         # If you are using v1.0 token, please configure app-id-uri for `aud` verification
+      client-id: ${your-client-id}           # If you are using v2.0 token, please configure client-id for `aud` verification
+```
+
+### Run with Maven
+```
+cd azure-spring-boot-samples/azure-spring-boot-sample-active-directory-b2c-resource-server
+mvn spring-boot:run
+```
+
+### Access the Web API
+We could use Postman to simulate a Web APP to send a request to a Web API.
+
+```http request
+GET /write HTTP/1.1
+Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw
+```
+```http request
+GET /read HTTP/1.1
+Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw
+```
+
+## Troubleshooting
+- `WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: Read timed out",`
+  
+    While running sample, if error occurs with logs above:
+    - `azure-activedirectory-b2c:jwt-read-timeout` to set longer read time in `application.yml`.
+    
+### FAQ
+#### How do I delete or modify Application Permissions in Portal?
+You can set `isEnabled` to `false` in the manifest's JSON configuration.Then delete or modify it.
+
+## Next steps
+## Contributing
+<!-- LINKS -->
+[ready-to-run-checklist]: https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/README.md#ready-to-run-checklist

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-b2c-resource-server/docs/image-add-application-roles.png

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>2.4.0</version> <!-- {x-version-update;org.springframework.boot:spring-boot-starter-parent;external_dependency} -->
+  </parent>
+
+  <groupId>com.azure.spring</groupId>
+  <artifactId>azure-spring-boot-sample-active-directory-b2c-resource-server</artifactId>
+  <version>1.0.0</version>
+  <packaging>jar</packaging>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.azure.spring</groupId>
+      <artifactId>azure-spring-boot-starter-active-directory-b2c</artifactId>
+      <version>3.3.0-beta.1</version> <!-- {x-version-update;com.azure.spring:azure-spring-boot-starter-active-directory-b2c;current} -->
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+    </dependency>
+  </dependencies>
+</project>

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-b2c-resource-server/docs/image-configuration-application-roles.png

@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.spring.sample.aad.b2c;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class AzureADB2CResourceServerSampleApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(AzureADB2CResourceServerSampleApplication.class, args);
+    }
+}

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-b2c-resource-server/docs/image-consent-application-permissions.png

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.spring.sample.aad.b2c.controller;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class WebController {
+
+    @ResponseBody
+    @GetMapping(value = { "/write" })
+    @PreAuthorize("hasAuthority('APPROLE_Test.write')")
+    public String write() {
+        return "Write success.";
+    }
+
+    @ResponseBody
+    @GetMapping(value = { "/read" })
+    @PreAuthorize("hasAuthority('APPROLE_Test.read')")
+    public String read() {
+        return "Read success.";
+    }
+}