0

I'm used to working with ADFS for a long time already and recenlty I was asked to do a proof of concept with Oauth2 on ADFS. Struggling through terminology I managed to set most things up, but still I do have some unanswered questions. Hope someone can shed some light on these...

For SAML / WS-Fed relying parties, it is possible to set custom web content, using Set-AdfsRelyingPartyWebContent. Is this also possible for web api relying parties created in an application group?

Would it be possible to add claims to a client authenticated with client_id / client_secret (server application in ADFS terms) when using the client credentials grant flow?

Even after setting the 'IssueOAuthRefreshTokensTo' 'AllDevices' on the web api application, I still don't receive refresh tokens. What am I missing here?

When posting a token issued by our ADFS on e.g. jwt.io I receive an 'signature validation' error. How can we resolve that?

We would like to set an audience for the access tokens, so applications can use the audience instead of using the appid to verify if they can consume the token. Can we modify the audience?

What does add-adfsclient do? Does it create a client_id, which can then be linked to a relying party (with Grant-AdfsApplicationPermission), thus enabling OAuth2 for an existing relying party?

When configuring a ad user principal for a server application and use 'password' as grant_type with the client credentials grant flow, I cannot seem to find the correct syntax, as ADFS always give the error 'MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid.'. I have used the syntax 'user@fqdn' for the username.

Thanks you for helping me out here!

legan
  • 1
  • 2

1 Answers1

1

Let me try and work through these.

In ADFS, OIDC applications and WS-Fed / SAML RP are completely different. You can't mix and match.

jwt.io has a signature error because it doesn't know the .well-known endpoint to get the key. Refer this.

To get extra claims you need to add an API as that is the only place for claims rules.

To get a refresh token, you need a scope of "offline_access".

For resource owner password, user name and password are separate fields. Refer here.

Feel free to ask more questions. Just expand your question.

Also, samples here. Look at the menu on the LHS.

Update

What do you mean by "can modify web content on a per relying party basis"?

Re. jwt.io, read this.

For refresh tokens, read this. It seems ADFS doesn't follow the spec here.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • I understand SAML / WS-Fed / OIDC are different, but ADFS can identify them based on their identifier. And I can modify web content on a per relying party basis (= per identifier basis), but I only seem to be able to do that for WS-Fed / SAML and not for OIDC identifiers – legan Jun 02 '20 at 11:31
  • The URL https:///adfs/.well-known/openid-configuration is browseable just fine from the internet, but how would jwt.io know where to obtain this file? – legan Jun 02 '20 at 11:34
  • I cannot modify claim issuance rules for 'server applications' (client id / secret). I can only modify those for a 'web application'. How would that work? – legan Jun 02 '20 at 11:36
  • 1
    When trying to obtaina refresh token with 'scope=openid offline_access', I still only receive an access token and id token, no refresh token. Also, I don't see a scope 'offline_access' in the list of scope descriptions in ADFS. – legan Jun 02 '20 at 11:44
  • 1
    For logging on with a AD user name and password in the 'client credentials grant flow' I have used the 'grant_type' 'password' and specify a username and password, just like it is mentioned here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#resource-owner-password-credentials-grant-flow-not-recommended (&username=myusername@contoso.com &password=SuperS3cret&grant_type=password), but that doesn't work. – legan Jun 02 '20 at 11:47
  • I can set a web theme on a relying party, thus customizing text and the image and logo on the logon page. I don't seem to be able to do that on an web app in an application group. – legan Jun 16 '20 at 21:41