Share via

3.2.5.2.1.3 Processing Details

  • Article

The processing details are the same as those specified in [MS-OAPX] section 3.2.5.1.1.3, with the following additions.

The AD FS server processes the x-ms-RefreshTokenCredential HTTP header as follows.

  1. The AD FS server checks the security policy of the resource owner to verify that user credentials received from a previously issued token can be used to authenticate and authorize users.

  2. The server verifies the signature of the header and also verifies that the request_nonce is a nonce value previously issued by the server as defined in section 3.2.5.1.1. The server SHOULD<12> also verify that the nonce was issued recently. If the signature or request_nonce are invalid, the server ignores the x-ms-RefreshTokenCredential HTTP header; if the x-ms-DeviceCredential HTTP header is present, the client processes it as follows, otherwise it continues processing the request as in [MS-OAPX] section 3.2.5.1.1.3.

  3. The AD FS server extracts the primary refresh token from the refresh_token field of the x-ms-RefreshTokenCredential HTTP header. If the refresh token provided is a valid primary refresh token that was previously issued by the server, then the AD FS server authenticates the user and device to which the primary refresh token was issued and continues processing the request as in [MS-OAPX] section 3.2.5.1.1.3.

If the AD FS server did not receive a valid x-ms-RefreshTokenCredential HTTP header, then it processes a received x-ms-DeviceCredential HTTP header as follows:

  1. The server verifies the signature of the header and also verifies that the request_nonce is a nonce value previously issued by the server as defined in section 3.2.5.1.1. The server SHOULD<13> also verify that the nonce was issued recently. If the signature or request_nonce are invalid, the server ignores the x-ms-DeviceCredential HTTP header and continues processing the request. If the signature is valid, then the AD FS server authenticates the device and continues processing the request as in [MS-OAPX] section 3.2.5.1.1.3.

If the client provided a referred token-binding ID using the tbidv2 POST body parameter ([MS-OAPX] section 2.2.3), the AD FS Server secures the response Access Token with the referred token-binding ID that was provided.