On Premise ADFS 3.0 OAuth2 WebApi + AngularJS

Question

I am completely lost on this, any help would be appreciated.

When I click Login through my client app from angularJS, I get redirect to :

https://adfs.dev5.local/adfs/oauth2/authorize?response_type=code&client_id=09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc&resource=urn%3Awebapi%3Atest&redirect_uri=https%3A%2F%2Flocalhost%3A44326%2F&state=52e4aa10-f082-4ee6-8823-543ec6e4dce4&client-request-id=e2751f34-f7db-41f4-8c1d-4463e2dca48b&x-client-SKU=Js&x-client-Ver=1.0.15&nonce=93039780-99f6-4efc-8b1b-58aa92df9f82

Which is fine and all, I am able to enter my email + password. Once I login I get redirect to:

https://localhost:44326/?code=OLCE2LJVeU2Zy2-7Q4oIMg.6Pr0vZgW1QhBAMQoUlgIKAdAsno.q4scWy_ZFQHQEz08M3gU3KJU4NhXdimZiMpgSGBQ8xKN8BLK0Qoe1m1cK5TA2WLLyA14SlnnfA4yHEp5_pTWrIOYNrvOVzNiGU0Zkie-7ae2D1_3U1E1rTmLUTprIadU4gLmo2CeMHkM8gumS285wKsRsMpXVLcavjgjyRM3XoWXSDSP96_eeMgq1osQ1M5170rrGOh_DVqKG-xYnKk5PEC7cWikaR_pxCvwvayLMV0VQIIyq1GJ3CvgK8sWFJGdY3jz247Bh8RPH9-t2_Jz3_7wyqvfvfquAY8tQxElEN1IEoPMOwVdjfBgNlZlw7vtAo79jdH1C_TRNUC5T3IrXw&state=52e4aa10-f082-4ee6-8823-543ec6e4dce4&client-request-id=e2751f34-f7db-41f4-8c1d-4463e2dca48b

This is where I am confused I don't think it's suppose to redirect me to that..., I know that I need to POST this some how to get the token, but how? I use Postman and I was able to get the access token, but what I don't understand is how do my WebAPI translate this to access token?

I am using ADFS 3.0 on Windows Server 2012 R2.

Setup ADFS:

Add-ADFSRelyingPartyTrust -Name MyWebAPI -Identifier urn:webapi:test -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' -IssuanceTransformRules 'c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(claim = c);'

Add Client:

Add-ADFSClient -Name "client" -ClientId "09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc" -RedirectUri "https://localhost:44326/"

Startup.Auth.cs:

app.UseActiveDirectoryFederationServicesBearerAuthentication(
    new ActiveDirectoryFederationServicesBearerAuthenticationOptions
    {
        MetadataEndpoint = "https://adfs.dev5.local/FederationMetadata/2007-06/federationmetadata.xml",
        TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
        {
            ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
        }
    });

webconfig for audience:

<appSettings>
   <add key="ida:Audience" value="https://localhost:44326/" />
</appSettings>

AngularJS adal setup:

adalProvider.init(
    {
        instance: 'https://adfs.dev5.local/', 
        tenant: 'adfs',
        clientId: '09c9a8a2-6bf1-427d-89ba-45c2c02bb9fc',
        redirectUri: 'https://localhost:44326/'
        //cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
    },
    $httpProvider
);

Answer 1

Have a look at these Postman samples .

You'll see I did each flow but for ADFS 4.0 which has the full OpenID Connect / OAuth stack.

ADFS 3.0 only has auth. code grant for confidential clients.

Once you have the code for the authorize endpoint, you need to send it to the token endpoint to get the actual token.

There's a good example here .

Also be aware that js clients normally use the implicit flow.