Oauth 2 token for Active Directory accounts

Question

I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with "Resource Owner Password Credentials" grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (multiplatform App developed with Visual studio tool for Cordova).

In this project, the Web Api will be consumed by a multiplatform Mobile app used by Active Directory Windows domain accounts

I would like to use Owin Oauth 2.0 to grant an Access Token to these users but I don't know how to check the validity of these credentials.

What I was thinking is to put the /token endpoint behind "basic authentication" and in the code of the Access Token Provider get the user from the Identity that, in case of authenticated used, should be automatically created by the Asp.net pipeline.

Is it something that could work?

Do you know any better idea to use Oauth 2.0 for AD Windows Accounts?

Note:

I'm also investigating if Active Directory is able to provide an Oauth 2.0 endpoint by itself.

why would you need to issue your own access tokens if Azure AD can do it for you: https://msdn.microsoft.com/en-us/library/azure/dn645545.aspx? since the flow for both is standard OAuth 2.0, your clients would not change — Hans Z., Apr 16 '15 at 05:24

score 17 · Accepted Answer · answered Apr 22 '15 at 17:07

Here is a pretty good walkthrough of how to use Active Directory Federation Services to obtain an OAuth2 token. https://technet.microsoft.com/en-us/library/dn633593.aspx. You'll have to follow all the links at the bottom to get the entire walkthrough.

Note that it refers to using Windows Azure AD Authentication Library for .NET. But according to that documentation, that library is used for both Azure Active Directory and on premises Active Directory.

As for the workflow, once authenticated you'll be able to obtain and present a bearer token to your WebAPI. Your WebAPI then "validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasn’t expired and may possibly also validate other claims in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent." - https://technet.microsoft.com/en-us/library/dn633593.aspx

score 9 · Answer 2 · answered Apr 16 '15 at 05:30

9

You could use ADFS 3.0 on top of AD which would provide you with OAuth 2.0 Authorization Server functionality: http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

Putting the token endpoint behind "basic authentication" does not help you because you'd be authenticating the client on the token endpoint, not the user. You could put the authorization endpoint behind "basic authentication" though.

answered Apr 16 '15 at 05:30

Hans Z.

50,496
12
102
115

How could I use the token provided by ADFS on an Asp.net MVC site? – systempuntoout Apr 17 '15 at 18:16
http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/ – Hans Z. Apr 17 '15 at 18:26
Upvoted for the last link, let's see if somebody has something better. – systempuntoout Apr 17 '15 at 19:01

Oauth 2 token for Active Directory accounts

2 Answers2

Linked