0

Looking for a way to get an app access token that can make calls to an API without making the user sign in. I have accomplished this use case using Azure AD where I get an app access token to write documents to a SharePoint library. I am not familiar enough with on prem AD FS and how to access getting an access token using a client secret so I don't have to interfere with the user.

Background
We have built a custom help desk application on a set of APIs. Our goal is to be able to create tickets from other systems (applications) that require a ticket to be created. The idea is to generate an access token that has permission to the API so I can create the ticket without the user being prompted to login since the ticket will not be specific to the user in some cases.

Example Use Case
We have an application that provisions non-employees to access resources in our environment. These non-employees have end dates associated to them, when the end date is passed and they were not renewed beforehand, a ticket will need to be generated for a team to update their record in AD.

What I have done
I have created a 'server application' in AD FS and generated a client secret. I am able to make a request and get an access token using the client secret, however, it is not 'linked' per say to the Wep API I need to call.

How would I give permission to the server application to access the web API?

Additional We are using AD FS on Server 2016.

Brian Smith
  • 1,467
  • 15
  • 31

2 Answers2

1

You need the confidential client flow.

Essentially, you configure an application and a web API.

By default, the application has permission to call that web API but you can play around with the access control policies.

Also note that you can configure claims rules on the web API.

This may also be useful.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Those links are very helpful. I have ran across the first one but the second one was new. The application group was already created a while back and I need to create a brand new 'server application' that can access resources for a web api in the same group. What I am missing is how to create that link or set permissions for X api. When I enter a resource parameter , I always get 'Unauthorized_client'. – Brian Smith Jul 09 '18 at 15:55
0

Found the issue causing the token I was receiving via the server application to give me an 'Authorization denied' response from the API.

It turns out that the AD FS configuration was correct, the issue was in my API with the valid audience and valid issuer.

app.UseActiveDirectoryFederationServicesBearerAuthentication(new ActiveDirectoryFederationServicesBearerAuthenticationOptions
        {
            MetadataEndpoint = ConfigurationManager.AppSettings["ADFS:MetadataEndpoint"],
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidAudiences = GetValidAudiences(),
                ValidIssuers = GetValidIssuers()
            }
        });

I needed to include the issuer and the audience that the server app was providing in the Access Token

ValidIssuer Example

microsoft:identityserver:{appIdentifier}

ValidAudience Example

http://{fqdn}/adfs/services/trust

upon adding those to the validIssuer and validAudience the access token worked perfectly.

Brian Smith
  • 1,467
  • 15
  • 31