Friday, July 24, 2015

Misc : Just because something is there doesn't mean you have to use it.

I came across a situation recently that made me smile!

For various reasons, this company uses ADFS and IdentityServer 2.0.

They then had a requirement to secute a Web API.

Web API's require a JWT token and they knew that IdentityServer allows you to convert token types for RP i.e.

So the path is Web API --> IS --> ADFS and then return the SAML token and convert to JWT.

It works fine but if they had taken a step back and asked "What is the correct way to do this" and not been sidetracked by the JWT issue, then they would have found a much better solution which is also supported by IS viz. OAuth2.

As it transpired, they needed to authenticate against AD which IS doesn't do and ADFS 3.0 has limited OAuth functionality but when ADFS vNext on Server 2016 comes out, hopefully they will convert the above and use OAuth2!


No comments: