It was inspired by OAuth2 SSO implementation using ADFS in MVC4 with Owin Oauth middleware.
Now this question was answered by @vibronet who is of course the much-fabled Vittorio of Cloud Identity fame.
"ADFS 2012 R2 only supports public clients. Web sites are confidential clients, hence you cannot perform an OAuth2 authorization grant with ADFS 2012 R2."
But there are references all over the Internet stating that ADFS v3.0 does support "authorization code grant" ?
So I queried this - refer to the article for the response!
After reading the OAuth 2.0 spec. again, ( RFC6749) there are two kinds of clients (Section 2.1) viz:
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means"
and it then goes on to discussing the client profiles:
- A web application is a confidential client running on a web server.
- A user-agent-based application is a public client in which the client code is downloaded from a web server and executes within a user-agent (e.g., web browser) on the device used by the resource owner.
- A native application is a public client installed and executed on the device used by the resource owner.
Supported authorization grants
|Authorization grant type||ADFS (Windows Server 2012 R2)|
|Authorization code grant||Supported|
|Implicit grant||Not supported|
|Resource Owner Password Credentials grant||Not supported|
|Client Credentials grant||Not supported|
Supported client types
|Client type||ADFS (Windows Server 2012 R2)|
|Confidential client||Not supported|
we note that "authorization code grant" is only supported for public clients which do not include web applications.
Which explains @vibronet's answer and also explains why the only code samples I've ever seen for this are for Web API not web application.
(If you read to the bottom of the post, you'll see that Microsoft extended the OAuth2 spec.!).
Also to call out @vibronet's statement "OAuth2 is not a sign on protocol". Yes - and it doesn't do SSO either. That's where OpenID Connect comes in.And OpenID Connect is not supported in this release either.
In terms of a summary of the grant types, I found "A guide to OAuth grants" useful.
If you want a full implementation plus OpenID Connect you'll find this in ADFS 4.0 - Server 2016 which brings the support up to par with Azure AD.