0

I've got a client side app which I'm authenticating with ADFS and react-adal and I've got most of it working but can't seem to find a way to request the access token (and therefore refresh token) with the id_token which is all I get in return from ADFS.

At the moment the React app forwards the user to ADFS to sign in, this then authenticates the token and I want to be able to get the userinfo (Name, Surname, roles etc...) from the /adfs/userinfo endpoint but need the bearer token to do so.

Currently my componentWillMount function looks like this

componentWillMount = () => {
    axios.get('/home/AuthenticationContext').then((response) => {
        this.adalAuthentication = new AdalAuthentication(response.data);
        if (this.adalAuthentication.authenticateToken()) { // checks if authenticated with adfs, not app
            var error = this.adalAuthentication.Instance.getLoginError();
            if (error === "") {
                axios({
                    method: 'get',
                    url: '/identity/completeLogin/' + this.adalAuthentication.Instance.getCachedToken(this.adalAuthentication.Instance.config.clientId)
                }).then((response) => { console.log(response) })
                this.setState({
                    loggedIn: true
                });
            }
            else {
                this.setState({
                    error: error
                });
            }
        }
}

The point I'm stuck at is the second axios get method, this hit a controller action on the same origin.

    [HttpGet("completeLogin/{id_token}")]
    public async Task<IActionResult> CompleteLogin(string id_token)
    {
        var client = new HttpClient();
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer" + id_token);
        var response = await client.GetAsync("https://adfs.domain/adfs/userinfo");

        return View();
    }

Of course the response returns unauthorised. I can't find any information about how to get an access token from the id_token or any way to get an access token from React in the front end using the Adal.js library, has anyone got past this?

EDIT: the only info I get from the id_token is below.

"userName":"bob@email.com",
"profile": {
    "aud":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "auth_time":1544777683,
    "exp":1544793006,
    "iat":1544789406,
    "iss":"https://adfs.domain/adfs",
    "mfa_auth_time":1544777705,
    "nonce":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "sid":"x-x-x-xx-xxxxxxxxxx-xxxxxxxx-xxxxxxxxxx-xxxx",
    "sub":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "unique_name":"T1234\\bob",
    "upn":"bob@email.com"
}
James Morrison
  • 1,954
  • 2
  • 21
  • 48
  • It seems like you are doing a few things backwards. I'd lay down some authentication middleware and protect that controller as a first point of call. You can replay the token to get user info if you want but this would usually be a client side task. I can also see an immediate issue with your code where there is no space between Bearer and token. It could be that simple. – BlueWater86 Jan 25 '19 at 10:24

1 Answers1

0

This seems to be a general problem with the adal.js library.

There is a workaround described here that may be of help.

Essentially, change the GET to a POST.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks for the advice, I've tried that but still no joy. I've found another endpoint on adfs adfs/oauth2/token but still can't get back an access code. I'm thinking I may have to switch to oidc – James Morrison Dec 18 '18 at 09:09
  • Did you look here - https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-development – rbrayb Dec 18 '18 at 18:27
  • Yeah, I've seen that and got that far, it's just getting the userinfo and/or an access token that doesn't work, adal doesn't seem t oget one back despite what any of the docs say, just the id token – James Morrison Dec 19 '18 at 08:59