ADFS 2016 generating ID_TOKEN with wrong AUD claim in Password Flow

Question

Well, my first problem is that ADFS 2016 don't generate KID header in JWT token and i need it to authenticate in my Identity Provider (Spring Security).

I resolved this problem getting the ID_TOKEN generated by ADFS, which have the KID as I expected. But using ID_TOKEN I got wrong AUD claim.

The AUD claim should be the CLIENTID of my ResourceServer but ADFS is generating AUD content with CLIENTID my own application (Client Application) and when I try to call my ResourceServer i got Access Denied because AUD claim is wrong.

Any tips to solve this problem ?

I'm having the same problem, couldn't get 'kid' from the access_token issued by ADFS 2016. Do you happened to found any clue? — netliner, Sep 27 '19 at 06:22

Claudio Corbetta · Answer 1 · 2022-06-14T14:08:37.933

I had the same problem, I solved it adding an identifier with the correct name..

be careful because adfs use the first in the list and is an ordered list.

This solution could be used for application groups too.

Ex.

if you add Application1 and MyID, adfs use application 1 as aud
if you add MyID and Application1, adfs use application 1 as aud
if you add Application4, MyID and Alice, adfs use Alice as aud

hope this help

regards

Claudio

ADFS 2016 generating ID_TOKEN with wrong AUD claim in Password Flow

1 Answers1