adfs (oauth2) token validation howto?

Question

i setup ADFS3.0 for OAuth2 and i finally got the "Access-Token" on my Client-APP.

Somethig like this:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{ 
    "access_token":"<access_token>",
    "token_type":"bearer",
    "expires_in":3600
}

Token consists of a header part, a payload and a signature.

Now i sent the request with the Token to my resource server. And i want to validate the Token from my resource server against ADFS (Auth Server and IDP).

This is my certificate on adfs:

CertificateType : Token-Signing
IsPrimary       : True
StoreLocation   : CurrentUser
StoreName       : My
Thumbprint      : xyz

How can this be done?

Update: Some info about the Token:

Header:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "abc"
}

Payload:

{
  "aud": "https://serverurl",
  "iss": "http://.../adfs/services/trust",
  "iat": 1473063317,
  "exp": 1473066917,
  "auth_time": "2016-09-05T08:15:17.875Z",
  "authmethod":     "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "ver": "1.0",
  "appid": "some-uid"
}

Signature:

{
  RSASHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    Ceritifate/secret
}

Planned Authorization Grant Flow (short version no auth grant code details):

We have our own client app (issuer) that requests a token from the ADFS (auth + idp) then sends the token+request to the resource server and the resource server should then the validate token against ADFS. What i am missing, is some endpoint from the ADFS if the sigature/token is valid. Thers's an /adfs/oauth2 endpoint on the ADFS server (where i got also the acces grant from), but there's somewhat a lack of documentation from microsoft...

The Microsoft documentation on ADFS's OAuth 2 implementation is non existent. How did you solve this problem? I have the same question. — Rob L, May 09 '17 at 20:44

score 2 · Answer 1 · answered Sep 05 '16 at 19:23

2

You want to validate the signature.

If so, refer OAuth2 : Verifying the Azure AD JWT signature.

Essentially use "well-known/openid-configuration" to get "common/discovery/keys" and then build the certificate from that.

answered Sep 05 '16 at 19:23

rbrayb

46,440
34
114
174

If validating the signature is proof enough i say yes. But i must admit that i don't understand this link at all. Is a connection to Azure required? Why can't i use my own ADFS server for validation? – Gobliins Sep 08 '16 at 08:15
No - forget the Azure part - it's just how you verify the signature. Also check things like is it the correct audience, is it the expected issuer, has the token expired etc. Refer RFC 7662. – rbrayb Sep 08 '16 at 19:13
You can use the ADFS of your own organisation. The only part is when you use the third party authentication in your app, you have to trust the identity server of your organization so that the token provided by Identity server that belongs to your organization can be validated by your app. Mainly its the issuer you have to trust. – Mitra Ghorpade Sep 08 '16 at 21:43
Yes i want to do that but i dont know how... i have put some updates in the question – Gobliins Sep 09 '16 at 08:02

adfs (oauth2) token validation howto?

1 Answers1