This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 35%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
AD FS, since Windows Server 2016, contains partial support for an early draft of OAuth 2.0 Token Exchange (on_behalf_of). The spec was finalized as RFC 8693 in january .
Is there any work ongoing to update AD FS in Windows Server 2019 to support (parts of?) the final spec, e.g. adjust parameter names and values, supporting both delegation, impersonation and exchanging SAML tokens to JWT tokens?
// Michael
AD FS (Active Directory Federation Services) is a Windows Server component that provides Single Sign-On (SSO) and identity federation capabilities. The support for OAuth 2.0 Token Exchange (specifically the "on_behalf_of" flow) in AD FS, as of Windows Server 2016, indicated that Microsoft was moving towards adopting modern identity protocols and standards to enhance its authentication and authorization capabilities.