I previously blogged on ADFS - Web App and Web API on Server 2016 TP4 ADFS 4.0.
This also shows the ADFS configuration
This is using Authorisation Code Grant in a .NET C# program to call the default template API i.e.
/api/values
Then I was asked how to do this with Postman which turned out to be less trivial than I thought.
As always, the Postman gist is here.
There is an authorisation request, a token request and the API request.
The VS project (as above) runs on my PC and has the web site and web service.
Running the authorisation request from a browser redirects to ADFS to authenticate and then returns a code in the query string..
As in "/?code=NjX0...".
We paste the code into the body of the second request (the code parameter) and then send it. This returns an access token, a refresh token and an ID token.
The Postman script automatically posts the access token into the third request (the API call) and this returns:
[
"value1",
"value2"
]
as we would expect.
The access token and the id token are encoded and can be decoded with something like jwt.io.
The refresh token is just a long GUID.
This results in:
Access token:
{
"aud": "https://my-pc/TodoListService/",
"iss": "http://my-adfs/adfs/services/trust",
"iat": 1478562128,
"exp": 1478565728,
"apptype": "Confidential",
"appid": "a07...e75",
"authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"auth_time": "2016-11-07T22:50:31.925Z",
"ver": "1.0",
"scp": "openid user_impersonation"
}
ID token:
{
"aud": "a07...e75",
"iss": "https://my-adfs/adfs",
"iat": 1478562128,
"exp": 1478565728,
"auth_time": 1478559031,
"sub": "v2O...nA=",
"upn": "user1@dev.local",
"unique_name": "DEV\\user1"
The ADFS wizard allows you to add claims to the web API part.
So I added the usual LDAP rules for email, given name and surname.
After this change, this resulted in a new access token.
{
"aud": "https://my-pc/TodoListService/",
"iss": "http://my-adfs/adfs/services/trust",
"iat": 1478562556,
"exp": 1478566156,
"email": "user1@company.com",
"given_name": "User",
"family_name": "One",
"apptype": "Confidential",
"appid": "a07...e75",
"authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"auth_time": "2016-11-07T23:49:15.935Z",
"ver": "1.0",
"scp": "openid user_impersonation"
}
Enjoy!
2 comments:
Thank you so much for all your posts on ADFS 2016. They have been a life saver :)
I have a question regarding the enriched AccessToken which contains the added LDAP claims:
"email": "user1@company.com",
"given_name": "User",
"family_name": "One",
Is is possible to access these added claims from the WebApp without making any request to the WebAPI?
Thank you,
George
Sort of - as per http://nzpcmad.blogspot.co.nz/2017/05/adfs-augmenting-default-jwt-with.html.
It's a web API that's not a web API!
Just FYI - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-development
Post a Comment