The standard use case is for an ASP.NET application using OpenID Connect / OAuth via the NuGet OWIN packages taking to ADFS.
The standard way is to configure a server application as above.
This all works . The problem is that the ADFS wizard does not have any way to configure claims rules. As a result you get the standard set of claims in the JWT.
aud 8173...1501
iss https://xxx.cloudapp.net/adfs
iat 1494378378
exp 1494381978
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 1494378377
nonce 6362....NmVl
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 0JrA...H7k=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn user1@dev.local
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name DEV\user1
c_hash baOc...R8GA
The only user specific details are the "upn" and the "name".
But what if you want more?
You can use the "Web browser accessing a web application" profile as per this.
This profile achieves the result in a roundabout way:
"Behind the scenes, this template creates a native client and new app type called Web application, which is just a Web API with an Identifier (RPID) that matches the native client's client ID. This means the Web application is simultaneously client and resource, so you can assign issuance transform rules as you would with a Web API."
I configured some claims in the wizard:
Now when I authenticate, I get this:
aud c906...3ab4
iss https://xxx.cloudapp.net/adfs
iat 1494379409
exp 1494383009
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 1494379408
nonce 6362...NTk2
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier PRUA...50U=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name DEV\user1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn user1@dev.local
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname User1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Test
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress user1@company.com
http://schemas.xmlsoap.org/claims/CommonName User1 Test
apptype Public
appid c906...3ab4
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
ver 1.0
http://schemas.microsoft.com/identity/claims/scope openid
c_hash -0ZX...Z81A
You will also notice that the apptype is "Public" i.e. a web site as opposed to "confidential" i.e. a web API.
I also answered a question in stackoverflow along these lines here.
As per the discussion from @Efrain:
"As indicated in @nzpcmad's answer, it appears that custom claims in the id_token using the default URL-parameter-encoded GET redirect is simply not supported. The reason for this may be that there is an URL length limit, but I find that quite questionable.
Anyway, apparently this restriction does not apply when the token is
returned in a POST redirect. That's also why people describe it working
just fine for MVC applications.
So I was able to work around the problem by redirecting the response to a back-end API endpoint (POST), which just redirects it to the front-end (SPA) again, but as a GET request with URL-encoded parameters:
So I was able to work around the problem by redirecting the response to a back-end API endpoint (POST), which just redirects it to the front-end (SPA) again, but as a GET request with URL-encoded parameters:
public class LoginController : ApiController
{
[HttpPost]
[Route("login")]
public HttpResponseMessage Login(FormDataCollection formData)
{
var token = formData["id_token"];
var state = formData["state"];
var response = Request.CreateResponse(HttpStatusCode.Moved);
var frontendUri = ConfigurationManager.AppSettings["ad:FrontendUri"];
response.Headers.Location = new Uri($"{frontendUri}#id_token={token} &state={state}");
return response;
}
}
&response_mode=form_post to the OAuth request URL."Enjoy!
No comments:
Post a Comment