0

In an Ionic mobile app, we need to access the web API and to show a Web UI (both SharePoint) in an Ionic WebView (essentially a browser inside the app). We're using OnPrem ADFS on Windows Server 2012 and OnPrem SharePoint 2013. Here's what we do:

1. In ADFS3, Setup OAuth2 and add a Relying Party Trust and a Client

http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/

2. From the mobile app, call ADFS to obtain an OAuth Access Token

First, GETing:

https://myadfsdomain/adfs/oauth/authorize
    ?response_type=code
    &client_id=MYCLIENTID
    &redirect_uri=https://myserver/callback
    &resource=MYRelyingPartyId

then POSTing the responseCode Eg:

$http({method: "post", 
   headers: {'Content-Type': 'application/x-www-form-urlencoded'}, 
   url: "https://myadfsdomain/adfs/oauth2/token", 
   data: "client_id=MYCLIENTID&code=" + responseCode + "&redirect_uri=https://myserver/callback&grant_type=authorization_code"  })

See also http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

We now have an OAuth2 Access Token.

3. Use that token to call the SharePoint API

GET /the-api-method
 Host: example.com
 Authorization: Bearer <access_token>

Question

Question is, how can that access token be used to access the Web UI? Can it be exchanged for a SharePoint Web UI cookie (FedAuth?) so that a WebView placed in the app can show a SharePoint web page to the authenticated user without the user having to login again?

According to this post, it sounds like OAuth2 for ADFS3 (Windows Server 2012) only works when calling a web API, NOT when calling a web UI. Is that correct?

As ADFS on Windows Server 2016 now supports more OAuth2 grant types, is it now possible to use ADFS OAuth in server 2016 for a web UI? If so, how does the access token get exchanged for a cookie or does it?

Community
  • 1
  • 1
Daniel Flippance
  • 7,734
  • 5
  • 42
  • 55
  • Daniel Flippance did you get this to work? "Question is, how can that access token be used to access the Web UI? Can it be exchanged for a SharePoint Web UI cookie (FedAuth?) so that a WebView placed in the app can show a SharePoint web page to the authenticated user without the user having to login again?" – lanakin Dec 20 '17 at 18:31
  • @Ianakin, in our case the web UI and the web API ended up using the same cookie due to the way Ionic is designed so we could show the UI and call the API at the same time without needing to use OAuth. – Daniel Flippance Dec 20 '17 at 19:05

1 Answers1

0

Yes - ADFS 3.0 only handles authorisation code grant for confidential clients i.e. web API.

In ADFS 4.0, you have support for OpenID Connect. This opens up the web site scenario. This gives you a token that you can then use to access a web API.

Have a look at Calling a web API in a web app using Azure AD and OpenID Connect. This uses Azure AD but the principle is the same.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Indeed. http://nzpcmad.blogspot.co.nz/2016/03/adfs-webapp-and-web-api-on-server-2016.html – rbrayb Feb 13 '17 at 23:38
  • The example is doing something different from my scenario - AFAICT, the web app in the example is authenticating to AD using OAuth and OpenID from the web server then issuing it's own cookies in the typical way. In my case, the authentication is done in the mobile app and I would then need to pass the access_token to the web server in order to get the cookie(s). Researching OWIN to see if it helps with this... – Daniel Flippance Feb 15 '17 at 00:23