2.2.4.2 Artifact
The artifact object is created by an AD FS server when it successfully processes an OAuth client's request for authorization, and is generated along with the OAuth authorization code. Before issuing an OAuth authorization code to the OAuth client, the AD FS server stores the artifact object in its artifact store.
Subsequently, when the OAuth client requests an access token by using the authorization code as specified in [RFC6749], the AD FS server processing the request extracts the artifact identifier from the authorization code that was presented by the OAuth client, and also determines which AD FS server issued that authorization code. If the authorization code was issued by the server processing the request, the server examines its local artifact store for an artifact object corresponding to the authorization code.
If the authorization code was issued by another AD FS server in the farm, the server processing the OAuth client's token request uses the ADFSOAL Protocol to look up the authorization code on the AD FS server that issued it. If the authorization code was found on the other AD FS server, the artifact object is returned to the calling AD FS server, that is, to the AD FS server processing the token request. After performing required validation as specified in section 3.1.5.1.1.3, the AD FS server processing the token request responds to the OAuth client with the access token contained in the artifact object.
The artifact object contains the following fields.
-
{ "description" : "artifact object", "type" : "object", "properties" : { "id": { "type":"array", "optional":false, "items" : { "type" : "integer", "minimum": 0, "maximum":255} }, "clientId": {"type":"string", "optional":false}, "redirectUri": {"type":"string", "optional":false}, "relyingPartyIdentifier": {"type":"string", "optional":false}, "data": {"type":"string", "optional":false} } }
id: The identifier for the artifact. This field contains the same value as the artifactId field of the corresponding authorization code (section 2.2.4.1).
clientId: The client identifier [RFC6749] for the OAuth client that originally requested the OAuth authorization code to which this artifact corresponds.
redirectUri: The redirection URI [RFC6749] specified by the OAuth client that originally requested the OAuth authorization code to which this artifact corresponds.
relyingPartyIdentifier: The identifier for the relying party for which the OAuth client originally requested the OAuth authorization code to which this artifact corresponds.
data: Contains the access token and other auxiliary information that was issued by the AD FS server that generated the OAuth authorization code to which this artifact corresponds.
-
The data field of the artifact object is a JavaScript Object Notation (JSON) formatted string that adheres to the following structure, as defined in [RFC6749] section 4.1.4.
-
{ "access_token": {"type":"string", "optional":false}, "token_type": {"type":"string", "optional":false}, "expires_in": {"type":"int", "optional":false}, "refresh_token": {"type":"string", "optional":true}, }