stackoom
  简体   繁体   中英

Several question on Oauth2 on ADFS Server 2016

 原文  2020-05-26 21:23:30       oauth-2.0/ openid-connect/ adfs/ adfs4.0

Question

I'm used to working with ADFS for a long time already and recenlty I was asked to do a proof of concept with Oauth2 on ADFS. Struggling through terminology I managed to set most things up, but still I do have some unanswered questions. Hope someone can shed some light on these...

For SAML / WS-Fed relying parties, it is possible to set custom web content, using Set-AdfsRelyingPartyWebContent. Is this also possible for web api relying parties created in an application group?

Would it be possible to add claims to a client authenticated with client_id / client_secret (server application in ADFS terms) when using the client credentials grant flow?

Even after setting the 'IssueOAuthRefreshTokensTo' 'AllDevices' on the web api application, I still don't receive refresh tokens. What am I missing here?

When posting a token issued by our ADFS on eg jwt.io I receive an 'signature validation' error. How can we resolve that?

We would like to set an audience for the access tokens, so applications can use the audience instead of using the appid to verify if they can consume the token. Can we modify the audience?

What does add-adfsclient do? Does it create a client_id, which can then be linked to a relying party (with Grant-AdfsApplicationPermission), thus enabling OAuth2 for an existing relying party?

When configuring a ad user principal for a server application and use 'password' as grant_type with the client credentials grant flow, I cannot seem to find the correct syntax, as ADFS always give the error 'MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid.'. I have used the syntax 'user@fqdn' for the username.

Thanks you for helping me out here!

1 answers

solution1
 1  2020-05-27 20:29:56

Let me try and work through these.

In ADFS, OIDC applications and WS-Fed / SAML RP are completely different. You can't mix and match.

jwt.io has a signature error because it doesn't know the.well-known endpoint to get the key. Refer this .

To get extra claims you need to add an API as that is the only place for claims rules.

To get a refresh token, you need a scope of "offline_access".

For resource owner password, user name and password are separate fields. Refer here .

Feel free to ask more questions. Just expand your question.

Also, samples here . Look at the menu on the LHS.

Update

What do you mean by "can modify web content on a per relying party basis"?

Re. jwt.io, read this .

For refresh tokens, read this . It seems ADFS doesn't follow the spec here.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ADFS2016 SAML2 to OAUTH2/OIDC ADFS 2016 - OAuth2 SPA - Get a new token silently ADFS as OAuth2 provider / Authentication server possible? OAuth2 for Exchange server 2013, 2016 and Office 365 On Premise ADFS 3.0 OAuth2 WebApi + AngularJS Login to azure oauth2 with on premise adfs ADFS 3.0 server with JS Client on dfiferent domains, Oauth2 Sign out no redirect Identity Server(OAuth2) implementation with integration to legacy systems(Forms Auth, ADFS,AD) Meteor OAuth2 Server ADFS 2016 oAuth not redirecting to login page after logout
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM