Turns out ADFS relies on the following claim type in the access-token for Web API "ABC":
http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype
Error went away as soon as I added that claim.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Consider the following setup:
On-premise ADFS 2019.
Two Claims Provider Trusts:
Application Group with:
Authentication from Server Application "ABC" to Web API "ABC" works as expected with scopes "openid profile user_impersonation".
Trying to obtain access token (scope openid) with on-behalf-of flow for Web API "XYZ" results in following error message on ADFS:
MSIS9364: Cannot complete the OAuth request. An id token is required by the request but one cannot be constructed because nop Anchor claim is present. Verify the AnchorClaimType property on the associated Claims Provider Trust is set correctly.
I verified and anchor claim "providerxaccountname" is present in the access token of Web API "ABC".
Some further testing showed that ADFS expects the anchor claim "windowsaccountname". Why?
P.S.: Setting a single ClaimsProviderName to "Identity Provider X" on Web API "XYZ" made no difference (nor did I expect it to).
Turns out ADFS relies on the following claim type in the access-token for Web API "ABC":
http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype
Error went away as soon as I added that claim.