3.1.5.1.1.3 Processing Details

When an AD FS server receives a request from an OAuth client to redeem an OAuth authorization code, it performs the following operations before determining whether to look up the authorization code on another AD FS server in its AD FS farm:

  • It extracts the issuerGuid and the artifactId from the given authorization code. The format of the authorization code is defined in section 2.2.4.1:

  • If the issuerGuid is null or empty or corresponds to its own machine GUID, the AD FS server does not invoke the ADFSOAL Protocol. This means that the received OAuth authorization code was originally issued by the AD FS server itself and therefore there is no need to look up the artifact identifier on another AD FS server.

  • If the issuerGuid does not match the above criteria, the AD FS server queries Active Directory (for the attributes defined in section 2.3) to find the computer account whose objectGUID matches the value of the issuerGuid that was extracted from the received OAuth authorization code.

    • If a corresponding computer account was found in Active Directory, the following steps are taken.

      1. The AD FS server implementing the client role of the ADFSOAL Protocol, that is, the AD FS server that received the token request from the OAuth client, determines the dnsHostName from the AD computer object (section 2.3). This is the AD FS server that originally issued the OAuth authorization code.

      2. The AD FS server implementing the client role of the ADFSOAL Protocol then issues an HTTP GET request to the AD FS server identified in step 1 using the protocol described by this document in order to look up the artifact identifier (artifactId) and retrieve a corresponding artifact. If the server was able to complete the lookup operation successfully, an artifact object is returned in the HTTP GET response. The format of the artifact returned in the HTTP GET response is documented in section 2.2.4.2 of this document.

      3. The contents of the data field (section 2.2.4.2) in the artifact received in the HTTP GET response from the AD FS server implementing the server role of the ADFSOAL Protocol is then returned to the OAuth client in accordance with the requirements of [RFC6749] section 5.1 (Successful Response).

    • If a corresponding computer account was not found in Active Directory, the AD FS server that received the token request from the OAuth client responds to the OAuth client with an invalid_grant error as specified in [RFC6749] section 5.2 (Error Response).