3

Any ideas why this is. I have configured a Server Application and a Web API and an ID Token, Access Token & Refresh token is issued. However calling the userinfo endpoint return a 401 with the following header message:

WWW-Authenticate →Bearer error="invalid_token", error_description="MSIS9920: Received invalid UserInfo request. The access token in request is not valid."

The access token is valid according to http://jwt.io

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVVbEw5a1JocDJNLUVzTDlBRDJOQ055aHZtdyJ9.eyJhdWQiOiJ1cm46bWljcm9zb2Z0OnVzZXJpbmZvIiwiaXNzIjoiaHR0cDovL3Rlc3Rsb2dpbi51bm9wcy5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ4NjYyOTUxOSwiZXhwIjoxNDg2NjMzMTE5LCJhcHB0eXBlIjoiQ29uZmlkZW50aWFsIiwiYXBwaWQiOiJrbnVkIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXV0aF90aW1lIjoiMjAxNy0wMi0wOVQwODozMjo1Ny4xNDZaIiwidmVyIjoiMS4wIiwic2NwIjoib3BlbmlkIiwic3ViIjoiM2krUGlyRncwSVlkdDVzTVNKQlpKbjVOTXZVWXZVdyt2WHI2Ujd1N0dBZz0ifQ.ajKtSk0xQE1crJkIA-lMLBZj2DtYE6xQo-Stmevh4pOGX17GEePbAFP-g6qPUwtGT_whVj74wRpSlyTBscp2JDsp_CW2E6BsTUI810S6jYRVjkYGxL1QcL1KoKJ8wyYKcxsCeOY2IUKNPnJOxV53Rs8E9EvJgjcsjTJHQw5Z_zC43dsTfCZvVfGrwJ3nn6BGxhIE_bEXvrWdgmg49V7-KK2kVDbDwJGr1iLpqU88-bkHdjGCIuc8XKX5pobWWlcyBmR_dpACM6Tu-d8jYJ_8mbof-eZrqn8YS61rgvRAhAAONyDklWcPgiYnhcMQVHZoCME-rVTjI6LDDY2czhL0rg
Kristoffer
  • 31
  • 1
  • 3

2 Answers2

3

This question is asked long time ago but let me share my experience. if you want to execute ADFS 4.0 userInfo endpoint(win server 2016) in a hope to get User profile but what i experienced is it return only Sub attribute ex:

{
    "sub": "MpR57wSIQz1kiR2uUMrkCQadbgDoztWmMV863Dugdso="
}

for anyone to try UserInfo endpoint you need to modify your application group, add api with Identitfier https://adfs.example.com/adfs/userinfo & at Client permission tab tick openId.

for execution of userinfo

Ex: 

curl -X GET \
  https://adfs.example.com/adfs/userinfo \
  -H 'Authorization: Bearer ACCESS_TOKEN

Note: In your Acquire Accesstoken code you need to pass your resource = urn:microsoft:userinfo

The ADFS userinfo endpoint always returns the subject claim as specified in the OpenID standards. AD FS does not provide additional claims requested via the UserInfo endpoint. If you need additional claims in ID token, refer to Custom ID Tokens in AD FS.

Nawaf
  • 424
  • 5
  • 17
0

I've only done this once so I don't have much suggestions to make yet. So I cant make any suggested unless there is more detail.

You should try and get more evidence from the AD FS side. Enable debug logs using 

wevtutil sl "ad fs tracing/debug" /l:5 /e:true

Do the repro and then disable logs as follows.

wevtutil sl "ad fs tracing/debug" /e:false

Then export the logs to view using 

wevtutil epl "ad fs tracing/debug" c:\temp\userinfoerr.evtx

Open that event log in event viewer and have look and see what other errors are reported around validating the JWT.

maweeras
  • 783
  • 4
  • 12