locked
How to configure ADFS 3.0 for oAuth RRS feed

  • Question

  • Hi Everyone,

    I have insatlled Windows 2012 R2 and ADFS from Role and Feature. My active directory is also insatlled in the same machine. Now I want to develop a web applicaiotn which will communciate with ADFS to authneticate users for Single Sing On. I need following information.

    1. How to Confiugre the ADFS for Oauth to work?

    2. How I can get the oAuth client_Id and secret?

    3. Which URI's I will hit to get the infromaiton?  like http://FQDN/adfs/ls

    4. Any example or microsoft API's for oAuth

    Please help me to sort this

    Many Thanks

    Monday, December 9, 2013 5:36 AM

All replies

  • Hi Imtiaz

    Have you recived any answers or found a solution.

    We are facing the same problems. Are there any documentation avilible

    Br

    erik

    Wednesday, February 5, 2014 7:37 PM
  • We are on the same road here, but I managed to find some stuff. Maybe it will also help you.

    1. In ADFS 3.0 (Windows Server 2012 R2) the oAuth enpoint is automatically configured and enabled.

    2. You can set it yourself using a powershell cmdlet called "Add-ADFSClient" on the ADFS server.

    3 & 4. The main url is https://youradfsserver/adfs/oauth2/. It translates into the following urls for doing your oAuth2 sequence.

    Getting the authorization_code:

    https://youradfsserver/adfs/oauth2/authorize?response_type=code&client_id=YourRegisteredClientId&redirect_uri=YourRedirectUri&resource=yourrelayingpartyId

    All the parameters are required, check the event viewer of your ADFS server for some pointers in case an error occurred. It the parameters are ok, it will show you the ADFS login screen to enter your credentials. If you successfully authenticate it will instruct your browser to use the given redirect uri and it will append code=.... to the url. The part after the code= is your authorization code.

    Translate the authorization code into an access token:

    To translate the authorization code into an access token you have to call https://youradfsserver/adfs/oauth2/token

    with in the body of your request:

    client_id=yourclient&code=yourauthorizationcode&redirect_uri=yourredirecturi&grant_type=authorization_code

    If this goes ok, the ADFS server will return an JSON response with an access token, like this:

    {"access_token":"youraccesstoken","token_type":"bearer","expires_in":3600}

    Hope this helps!

    Regards,

    Patrick


    kalkie

    • Proposed as answer by Robin Gaal Wednesday, March 30, 2016 8:46 AM
    Tuesday, March 18, 2014 10:29 AM
  • Hi Patrick,

    Thanks, was also looking for this, that's very helpful! Did you find out how to get the user data after getting an access token?

    I still can't believe a company like Microsoft is uncapable of providing adequate documentation...

    Regards,
    Bram

    Tuesday, March 18, 2014 1:50 PM
  • Hi Bram,

    Normally, you would use the oAuth2 to secure some Web API. So, with the access token you can now access your API (Relying party) in ADFS. By setting up the correct claim rules for the relying party you can let the claims flow into your Web API, for example email and username.

    But you have to integrate some additional components to your Web API solution to be able to validate the incoming oAuth2 access token and retrieve the claims. That is what Vittorio Bertocci is describing in this http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/ post.

    Regards,

    Patrick


     




    kalkie

    • Proposed as answer by Robin Gaal Wednesday, March 30, 2016 8:47 AM
    Tuesday, March 18, 2014 3:08 PM
  • Hi Patrick,

    Thanks for explaining. I've solved the problem another way, but I'll keep this post bookmarked for future reference ;-).

    Regards,
    Bram

    Wednesday, March 19, 2014 12:40 PM
  • Hi Bram, could you tell me what did you do to solve the problem? I have read the Vittorio's post but actually I don't want to do all of that.. .just want some user info like the name or userid ..

    Edit:

    Currently, I've followed the Vittorio's post and I coded my own REST service to get the user info... anyway if you have some tips about my previous question it will be great

    Thanks in advance


    Wednesday, May 14, 2014 2:44 PM