tag:blogger.com,1999:blog-11195359.post3884892945757313974..comments2023-08-18T17:53:12.377+12:00Comments on Random thoughts and collisions: ADFS - Native Client and Web API on Server 2016 TP4 ADFS 4.0nzpcmadhttp://www.blogger.com/profile/06352759009406963230noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-11195359.post-43300512775110574922017-11-28T08:33:14.036+13:002017-11-28T08:33:14.036+13:00There is a typo (that was posted by mcdaniel in th...There is a typo (that was posted by mcdaniel in the comments section) that is most likely causing your issue. I added a longer comment in reply to mcdaniel's comment, and I also copied it below in case anyone arrives at this page first.<br /><br /><br />The typo found by mcdaniel will cause the request to get an OAuth access token using the On Behalf Of flow to fail because AD FS 2016 looks for the user_impersonation scope in the "scp" attribute of the access token. And the "scp" attribute is only populated when the claim issuance rule issues a claims of type "http://schemas.microsoft.com/identity/claims/scope".<br /><br /><br />If a claim is issued with the HTTPS prefix, then AD FS 2016 issues a token with an attribute of "https://schemas.microsoft.com/identity/claims/scope" instead of an attribute of "scp".<br /><br /><br />So, if anyone is receiving an AdalServiceException of MSIS9650 or if anyone is seeing an OAuthInvalidOBOAssertionException in the AD FS event log of type MSIS9386, then verify that your claims issuance rule in AD FS is using "http://schemas.microsoft.com/identity/claims/scope" without the HTTPS.<br /><br /><br />P.S. The full error message from ADAL is as follows: Error while attempting to get token. Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: MSIS9650: Received invalid OAuth request. Access token in the 'assertion' parameter value doesn't contain required scope claim with value 'user_impersonation'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (BadRequest). ---> System.Exception: {"error":"invalid_request","error_description":"MSIS9650: Received invalid OAuth request. Access token in the \u0027assertion\u0027 parameter value doesn\u0027t contain required scope claim with value \u0027user_impersonation\u0027."}<br /><br /><br />P.P.S. The full error message logged by AD FS is as follows: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInvalidOBOAssertionException: MSIS9386: Received invalid OAuth request. Access token in the 'assertion' parameter value doesn't contain scope claim with value 'user_impersonation'.Anonymousnoreply@blogger.com