Azure · rujche · May 7, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -6,6 +6,11 @@ Upgrade Spring Boot dependencies version to 4.0.6 and Spring Cloud dependencies
 
 This section includes changes in `spring-cloud-azure-autoconfigure` module.
 
+#### Breaking Changes
+
+- AAD resource server now requires `spring.cloud.azure.active-directory.profile.tenant-id` to be set to a specific (non-reserved) tenant ID. Empty string, `common`, `organizations`, and `consumers` are no longer accepted and will cause application startup to fail with an `IllegalArgumentException`. ([#49033](https://github.com/Azure/azure-sdk-for-java/pull/49033))
+- `AadAuthenticationFilter` now enables explicit audience validation by default. The filter will verify that the JWT's `aud` (audience) claim matches either `spring.cloud.azure.active-directory.credential.client-id` or `spring.cloud.azure.active-directory.app-id-uri`. Tokens issued for other applications will be rejected with `BadJWTException`. This prevents cross-application token reuse and aligns with OAuth2/OIDC security best practices. ([#49033](https://github.com/Azure/azure-sdk-for-java/pull/49033))
+
 #### Bugs Fixed
 
 - Fixed JDBC/Azure Database and Redis passwordless connection scope defaulting using the wrong `azure.scopes` value for Azure China and Azure US Government when `spring.cloud.azure.profile.cloud-type` is set to `azure_china` or `azure_us_government`. The scopes are now correctly derived from the merged cloud type. ([#47096](https://github.com/Azure/azure-sdk-for-java/issues/47096))

@@ -8,6 +8,7 @@
 import com.azure.spring.cloud.autoconfigure.implementation.aad.configuration.properties.AadResourceServerProperties;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.AadJwtClaimNames;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadJwtIssuerValidator;
+import com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt.AadTrustedIssuerRepository;
 import com.azure.spring.cloud.autoconfigure.implementation.aad.security.properties.AadAuthorizationServerEndpoints;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
@@ -33,6 +34,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import static com.azure.spring.cloud.autoconfigure.implementation.aad.security.AadResourceServerHttpSecurityConfigurer.aadResourceServer;
 import static com.azure.spring.cloud.autoconfigure.implementation.aad.utils.AadRestTemplateCreator.createRestTemplate;
@@ -50,8 +52,9 @@ class AadResourceServerConfiguration {
     @Bean
     @ConditionalOnMissingBean(JwtDecoder.class)
     JwtDecoder jwtDecoder(AadAuthenticationProperties aadAuthenticationProperties) {
+        String tenantId = getTrimmedTenantId(aadAuthenticationProperties);
         AadAuthorizationServerEndpoints identityEndpoints = new AadAuthorizationServerEndpoints(
-            aadAuthenticationProperties.getProfile().getEnvironment().getActiveDirectoryEndpoint(), aadAuthenticationProperties.getProfile().getTenantId());
+            aadAuthenticationProperties.getProfile().getEnvironment().getActiveDirectoryEndpoint(), tenantId);
         NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder
             .withJwkSetUri(identityEndpoints.getJwkSetEndpoint())
                 .restOperations(createRestTemplate(restTemplateBuilder))
@@ -64,20 +67,50 @@ JwtDecoder jwtDecoder(AadAuthenticationProperties aadAuthenticationProperties) {
     List<OAuth2TokenValidator<Jwt>> createDefaultValidator(AadAuthenticationProperties aadAuthenticationProperties) {
         List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
         List<String> validAudiences = new ArrayList<>();
+        String tenantId = getTrimmedTenantId(aadAuthenticationProperties);
+        validateTenantId(tenantId);
         if (StringUtils.hasText(aadAuthenticationProperties.getAppIdUri())) {
             validAudiences.add(aadAuthenticationProperties.getAppIdUri());
         }
         if (StringUtils.hasText(aadAuthenticationProperties.getCredential().getClientId())) {
             validAudiences.add(aadAuthenticationProperties.getCredential().getClientId());
         }
         if (!validAudiences.isEmpty()) {
-            validators.add(new JwtClaimValidator<List<String>>(AadJwtClaimNames.AUD, validAudiences::containsAll));
+            validators.add(new JwtClaimValidator<List<String>>(AadJwtClaimNames.AUD,
+                audiences -> audiences != null
+                    && !audiences.isEmpty()
+                    && audiences.stream().anyMatch(validAudiences::contains)));
         }
-        validators.add(new AadJwtIssuerValidator());
+        validators.add(new JwtClaimValidator<String>(AadJwtClaimNames.TID, tenantId::equals));
+        validators.add(new AadJwtIssuerValidator(new AadTrustedIssuerRepository(tenantId)));
         validators.add(new JwtTimestampValidator());
         return validators;
     }
 
+    private static String getTrimmedTenantId(AadAuthenticationProperties aadAuthenticationProperties) {
+        String tenantId = aadAuthenticationProperties.getProfile().getTenantId();
+        return tenantId != null ? tenantId.trim().toLowerCase(Locale.ROOT) : null;
+    }
+
+    private static void validateTenantId(String tenantId) {
+        if (!StringUtils.hasText(tenantId)
+            || "common".equalsIgnoreCase(tenantId)
+            || "organizations".equalsIgnoreCase(tenantId)
+            || "consumers".equalsIgnoreCase(tenantId)) {
+            throw new IllegalArgumentException(
+                "For resource server, "
+                    + "'spring.cloud.azure.active-directory.profile.tenant-id' "
+                    + "cannot be null, empty, or set to 'common', "
+                    + "'organizations', or 'consumers'. "
+                    + "These values are not supported for resource server token "
+                    + "validation because a specific tenant ID is required to "
+                    + "validate the token 'tid' claim and issuer against a "
+                    + "single Azure AD tenant. "
+                    + "Please configure an explicit tenant ID for your "
+                    + "organization's tenant.");
+        }
+    }
+
     @EnableWebSecurity
     @EnableMethodSecurity
     @ConditionalOnDefaultWebSecurity

@@ -69,7 +69,7 @@ public AadAuthenticationFilter(AadAuthenticationProperties aadAuthenticationProp
                 endpoints,
                 aadAuthenticationProperties,
                 resourceRetriever,
-                false
+                true
             ),
             restTemplateBuilder
         );
@@ -97,7 +97,7 @@ public AadAuthenticationFilter(AadAuthenticationProperties aadAuthenticationProp
                 endpoints,
                 aadAuthenticationProperties,
                 resourceRetriever,
-                false,
+                true,
                 jwkSetCache
             ),
             restTemplateBuilder

@@ -220,7 +220,7 @@ public void verify(JWTClaimsSet claimsSet, SecurityContext ctx) throws BadJWTExc
                         LOGGER.debug("Matched audience: [{}]", matchedAudience.get());
                     } else {
                         throw new BadJWTException("Invalid token audience. Provided value " + claimsSet.getAudience()
-                            + "does not match neither client-id nor AppIdUri.");
+                            + " does not match either the client-id or AppIdUri.");
                     }
                 }
             }

@@ -18,45 +18,23 @@
  */
 public class AadJwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
 
-    private static final String LOGIN_MICROSOFT_ONLINE_ISSUER = "https://login.microsoftonline.com/";
-
-    private static final String STS_WINDOWS_ISSUER = "https://sts.windows.net/";
-
-    private static final String STS_CHINA_CLOUD_API_ISSUER = "https://sts.chinacloudapi.cn/";
-
     private final JwtClaimValidator<String> validator;
 
     private final AadTrustedIssuerRepository trustedIssuerRepo;
 
-    /**
-     * Constructs a {@link AadJwtIssuerValidator} using the provided parameters
-     */
-    public AadJwtIssuerValidator() {
-        this(null);
-    }
-
     /**
      * Constructs a {@link AadJwtIssuerValidator} using the provided parameters
      *
      * @param aadTrustedIssuerRepository trusted issuer repository.
      */
     public AadJwtIssuerValidator(AadTrustedIssuerRepository aadTrustedIssuerRepository) {
+        Assert.notNull(aadTrustedIssuerRepository, "aadTrustedIssuerRepository cannot be null");
         this.trustedIssuerRepo = aadTrustedIssuerRepository;
         this.validator = new JwtClaimValidator<>(AadJwtClaimNames.ISS, trustedIssuerRepoValidIssuer());
     }
 
     private Predicate<String> trustedIssuerRepoValidIssuer() {
-        return iss -> {
-            if (iss == null) {
-                return false;
-            }
-            if (trustedIssuerRepo == null) {
-                return iss.startsWith(LOGIN_MICROSOFT_ONLINE_ISSUER)
-                    || iss.startsWith(STS_WINDOWS_ISSUER)
-                    || iss.startsWith(STS_CHINA_CLOUD_API_ISSUER);
-            }
-            return trustedIssuerRepo.getTrustedIssuers().contains(iss);
-        };
+        return iss -> iss != null && trustedIssuerRepo.getTrustedIssuers().contains(iss);
     }
 
     /**

@@ -19,7 +19,8 @@ void servletApplication() {
         oauthClientAndResourceServerRunner()
             .withPropertyValues(
                 "spring.cloud.azure.active-directory.enabled=true",
-                "spring.cloud.azure.active-directory.credential.client-id=fake-client-id"
+                "spring.cloud.azure.active-directory.credential.client-id=fake-client-id",
+                "spring.cloud.azure.active-directory.profile.tenant-id=fake-tenant-id"
             )
             .run(context -> assertThat(context).hasSingleBean(AadAuthenticationProperties.class));
     }
@@ -29,7 +30,8 @@ void nonServletApplication() {
         oauthClientAndResourceServerRunner()
             .withPropertyValues(
                 "spring.cloud.azure.active-directory.enabled=true",
-                "spring.cloud.azure.active-directory.credential.client-id=fake-client-id"
+                "spring.cloud.azure.active-directory.credential.client-id=fake-client-id",
+                "spring.cloud.azure.active-directory.profile.tenant-id=fake-tenant-id"
             )
             .withClassLoader(new FilteredClassLoader(SERVLET_WEB_APPLICATION_CLASS))
             .run(context -> assertThat(context).doesNotHaveBean(AadAuthenticationProperties.class));

@@ -65,7 +65,8 @@ void testWithRequiredPropertiesSet() {
         oauthClientAndResourceServerRunner()
             .withPropertyValues(
                 "spring.cloud.azure.active-directory.enabled=true",
-                "spring.cloud.azure.active-directory.credential.client-id=fake-client-id"
+                "spring.cloud.azure.active-directory.credential.client-id=fake-client-id",
+                "spring.cloud.azure.active-directory.profile.tenant-id=fake-tenant-id"
             )
             .run(context -> {
                 assertThat(context).hasSingleBean(AadAuthenticationProperties.class);