Wednesday, November 25, 2015

ADFS : OAuth 2.0 support

This post refers to ADFS ("AD FS") v3.0 on Server 2012 R2. Below that (2.1 and below), there is no OAuth 2.0 support.

It was inspired by OAuth2 SSO implementation using ADFS in MVC4 with Owin Oauth middleware.

Now this question was answered by @vibronet who is of course the much-fabled Vittorio of Cloud Identity fame.

"ADFS 2012 R2 only supports public clients. Web sites are confidential clients, hence you cannot perform an OAuth2 authorization grant with ADFS 2012 R2."

But there are references all over the Internet stating that ADFS v3.0 does support "authorization code grant" ?

So I queried this - refer to the article for the response!

After reading the OAuth 2.0 spec. again, ( RFC6749) there are two kinds of clients (Section 2.1)  viz:

    Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.

    Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means"

and it then goes on to discussing the client profiles:
  • A web application is a confidential client running on a web server. 
  • A user-agent-based application is a public client in which the client code is downloaded from a web server and executes within a user-agent (e.g., web browser) on the device used by the resource owner. 
  • A native application is a public client installed and executed on the device used by the resource owner. 
 Now as per this post OAuth 2.0 support in ADFS on Windows Server 2012 R2, we see:

Supported authorization grants

Authorization grant typeADFS (Windows Server 2012 R2)
Authorization code grantSupported
Implicit grantNot supported
Resource Owner Password Credentials grantNot supported
Client Credentials grantNot supported

Supported client types

Client typeADFS (Windows Server 2012 R2)
Public clientSupported
Confidential clientNot supported

we note that "authorization code grant" is only supported for public clients which do not include web applications.

Which explains @vibronet's answer and also explains why the only code samples I've ever seen for this are for Web API not web application.

(If you read to the bottom of the post, you'll see that Microsoft extended the OAuth2 spec.!).

Also to call out @vibronet's statement "OAuth2 is not a sign on protocol". Yes - and it doesn't do SSO either. That's where OpenID Connect comes in.And OpenID Connect is not supported in this release either.

In terms of a summary of the grant types, I found "A guide to OAuth grants" useful.

If you want a full implementation plus OpenID Connect you'll find this in ADFS 4.0 - Server 2016 which brings the support up to par with Azure AD.


No comments: