ADAL.JS, ADFS and Windows 2016

Question

Plan is to support OAuth2 workflows in AngularJS application. ADAL supports 'Implicit Grant Flow.' ADFS in older versions (available in Windows 2012 R2) supported only 'Authorization Grant Flow'

Our plan is to begin by setup of a lab environment. It was suggested to us that Windows 2012 R2 has limited support for OAuth2 hence; we should setup environment using Windows 2016 and ADFS 4.0.

So before we start with a setup involving AD, ADFS, IIS, AngularJS application (which is definitely non-trivial) wanted to confirm can ADFS running on Windows 2016 server. We plan to use ADAL.JS in order to support OAuth2 support - Implicit Grant workflows?

Why the need for ADFS? If all you're trying to do is login on prem users, use Azure AD pass through authentication — evilSnobu, Mar 13 '18 at 20:30
Yes, that is also planned. We followed following video "". As per video it should be seamless SSO. However, what we observed is it does not work for Edge. For other popular browsers like Chrome and Firefox it still asks for the username (not happy) though password is not asked (that is good). Is it something wrong with configuration we do not know? any thoughts ? — no-minds, Mar 16 '18 at 05:00
Oops.. Link to video is here "https://www.youtube.com/watch?v=PyeAC85Gm7w" — no-minds, Mar 16 '18 at 05:06
Found a new link (https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-how-it-works) just now which seems to explain why for few application browsers still ask from 'username'. Now only thing I want to know is what is the type of token returned in step 9 under "How does sign-in on a web browser with Seamless SSO work?". My guess it is an OAuth2 access token. Any thoughts ? — no-minds, Mar 16 '18 at 19:25
Is 'id_token' or such a token available in browser's memory. Can I read value of 'id_token'? — no-minds, Mar 17 '18 at 18:40
It's usually stored as a cookie or in session storage for implicit flow (adal.js). Yes, it is a JWT token, you should be able to unpack it and read claims just as with any other JWT. — evilSnobu, Mar 17 '18 at 19:55
Yes, when we used ADAL library to do in our sample application JWT is available under session storage or local storage based on settings we provide in the config. However, with Pass-through Authentication and Seamless Single Sign-On I can see the id_token returned as a response login message. However, it is not available in Browser. If any one knows where I can find it please respond. — no-minds, Mar 28 '18 at 07:46
Are you calling `context.saveTokenFromHash()`? https://github.com/AzureAD/azure-activedirectory-library-for-js/blob/master/lib/adal.js#L1164. I'm not completely sure that's the right function, just skim the source code, the logic you're looking for is extract the `id_token` URL fragment and drop it into session/local storage. — evilSnobu, Mar 28 '18 at 07:57
I am accessing a sample application on Azure using seamless SSO and pass through authentication. I do get success in launching application from a domain joined machine. That's good. For a reason I need to get hold of the id_token value returned by a call to 'login.microsoftonline.com' — no-minds, Mar 28 '18 at 11:44
I see the id_token value used in subsequent POST calls. However, I want to see where on browser it is persisted. Could not find in browser's local storage, session storage as well as in cookies. Hence my concern is where is the id_token returned as a response to by GET call to ....oauth2/authorize; gets stored. — no-minds, Mar 28 '18 at 11:48
It's not persisted by default, that's what i'm saying, you have to call into adal.js to make that happen. — evilSnobu, Mar 28 '18 at 11:55
But in our experiment I don't see 'adal.js' loaded. The application we are trying to access is the default application that has been created and hosted using 'App Services' in Azure AD. — no-minds, Mar 28 '18 at 12:46

score 0 · Answer 1 · edited Jun 20 '20 at 09:12

As OAuth 2.0 support in ADFS on Windows Server 2012 R2 states about the Supported authorization grants as follows:

Authorization grant type / ADFS (Windows Server 2012 R2)

Authorization code grant : Supported

Implicit grant : Not supported

Resource Owner Password Credentials grant : Not supported

Client Credentials grant : Not supported

Also, as ADFS as OAuth2 provider / Authentication server possible? answered as follows:

With ADFS 2016 (which will release imminently), you have the full Oauth/OIDC support. With this you can build web apps, single page apps, API's, multi-tiered app systems that require On-behalf-of support, confidential clients (with support for windows service accounts acting as confidential clients).

For your scenario, you could follow Build a single page web application using OAuth and ADAL.JS with AD FS 2016. Note: The previous walkthrough is applicable only to AD FS Server 2016 and higher.

With ADFS 2016 (which will release imminently) ... ? Is it not available in current Windows 2016 server ? — no-minds, Mar 13 '18 at 07:32
Sorry for misleading you, the similar issue is too old. Is it available in current Windows 2016 server, you could just follow the tutorial I provided. The single page application uses the implicit grant flow. — Bruce Chen, Mar 13 '18 at 07:55

score 0 · Answer 2 · answered Mar 03 '19 at 11:23

I am following that (https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/single-page-application-with-ad-fs) but I am getting 401 error while trying to browse the TodoList page. The userdata is showing aud, iss, iat, exp, upn, unique-name and sub but not my family and given name. In relaying party trust I have:

 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "family_name"), query = ";displayName,mail,givenName,sn;{0}", param = c.Value);```
and in Insuance transform rules I have:
```c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/claims/Group", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), query = ";mail,givenName,sn,tokenGroups(SID),sAMAccountName;{0}", param = c.Value);```

ADAL.JS, ADFS and Windows 2016

2 Answers2