Several question on Oauth2 on ADFS Server 2016

MrEco 1 Reputation point
2020-05-13T20:53:14.543+00:00

Hi all,

I'm used to working with ADFS for a long time already and recenlty I was asked to do a proof of concept with Oauth2 on ADFS.
Struggling through terminology I managed to set most things up, but still I do have some unanswered questions. Hope someone can shed some light on these...

  • For SAML / WS-Fed relying parties, it is possible to set custom web content, using Set-AdfsRelyingPartyWebContent. Is this also possible for web api relying parties created in an application group?
  • Would it be possible to add claims to a client authenticated with client_id / client_secret (server application in ADFS terms) when using the client credentials grant flow?
  • Even after setting the 'IssueOAuthRefreshTokensTo' 'AllDevices' on the web api application, I still don't receive refresh tokens. What am I missing here?
  • When posting a token issued by our ADFS on e.g. jwt.io I receive an 'signature validation' error. How can we resolve that?
  • We would like to set an audience for the access tokens, so applications can use the audience instead of using the appid to verify if they can consume the token. Can we modify the audience?
  • What does add-adfsclient do? Does it create a client_id, which can then be linked to a relying party (with Grant-AdfsApplicationPermission), thus enabling OAuth2 for an existing relying party?
  • When configuring a ad user principal for a server application and use 'password' as grant_type with the client credentials grant flow, I cannot seem to find the correct syntax, as ADFS always give the error 'MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid.'. I have used the syntax 'user@fqdn' for the username.

Thanks you for helping me out here!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,201 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vahid Ghafarpour 18,370 Reputation points
    2023-08-27T02:49:56.8866667+00:00

    ADFS, by design, typically doesn't add claims directly when using client credentials. Claims are usually associated with the identity of a user and are often issued in the context of user authentication. However, you might be able to manipulate some claims through custom claim rules.

    0 comments