Wednesday, October 07, 2015

ADFS : OAuth on Server 2016 TP3

Continuing the saga of OpenID Connect / OAuth on TP3. (Refer previous posts for TP2).

Vittorio blogged on:

OpenId Connect Web Sign On with ADFS in Windows Server 2016 TP3

Securing a Web API with ADFS on WS2012 R2 Got Even Easier

and this is a mix and match of both.

I didn't create a VM on my PC - I ran one up on Azure using the pre-configured TP3 sample from the Gallery. The steps are the same as described except that in Azure you need to enable the http and https endpoints. That catches me every time :-)

I used the code from the second blog entry with the new OAuth wizard from the first one.


RP now have an new entry "Edit Access Control Policy" which displays the screen above. Note I have allowed access to everyone.

Problem is - it doesn't work. I kept getting this error.

MSIS9321: Received invalid OAuth request. The client 'GUID' is forbidden to access the resource 

Pulled my hair out over this one. And then I had another look at Vittorio's blog above and noticed that he had done this via PowerShell.

He has this line:

-IssuanceAuthorizationRules ‘=> issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);’

OK - so I'll use PowerShell instead of the wizard to create the RP.

Now the wizard shows:


i.e. the "old" way. And suddenly, that part worked.

Now Vittorio's blog talked about generating a secret key - which he doesn't seem to use in the sample?

I tried everything I could think off on this page:


Nothing I did seemed to work.

I kept getting:

MSIS9267: No Client credentials found in the request. Client 'GUID' is configured as a confidential client.

No idea what to do here? And there doesn't seem to be any relevant documentation.

I noted that in Vittorio's first blog post post, he actually just accesses the ADFS Discovery Doc i.e. the address of your ADFS OpenID Connect discovery document – the issuer metadata in OpenId Connect. I got this sample working. However, he didn't actually use the OAuth flow itself.

Also there is a menu item for "Scope Descriptions" but nothing to map these to an OAuth client i.e. I only want this client to accept these scopes.

But having said all that, I really enjoy reading Vittorio's posts. He's the only one blogging on this at the moment.

BTW, looking forward to his new book - Modern Authentication with Active Directory for Web Applications  which I have pre-ordered!

To be continued ...

Enjoy!




2 comments:

Anonymous said...

Hi!
Very informative - Thank you.
Could you post the complete Powershell command you used to create the Relying Party Trust

Thanks
George

nzpcmad said...

The latest stable version of ADFS 4.0 works really well and I no longer use PowerShell. The wizard handles everything.

Good examples here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-development