1

I have tried using OAuth2 Proxy to manage my SSO authentication directly to ADFS rather than going through an intermediary like Keycloak. I first tried in an older version (7.1.x) with the OIDC provider, then in the brand new version (7.2.0) with the new ADFS provider configured as specified in the OAuth2 Proxy documentation (on ADFS I have an application group set up).

In both cases, I successfully connect to ADFS, and ADFS presents an authentication screen. Everything seems to work on the ADFS side (I type in the credentials, it accepts them and the ADFS login screen disappears). There are no error events in the ADFS logs. However, OAuth2 Proxy fails on the callback (which is correctly sent to https:\myserver\oauth2\callback. The value returned from ADFS in the URL looks like it is formatted as a JWT, but it is garbage (i.e. when I paste it into jwt.io, it says "invalid signature", the header is blank and the payload is utter garbage.) In other words, ADFS redirects to "https:\myserver\oauth2\callback?code=" where the value after "code=" is unintelligible.

I am thinking that ADFS is encrypting the token, but there seems to be no way to specify the certificate ADFS uses to OAuth2 Proxy, nor is there an indication in the documentation that it expects me to do so.

The ADFS in question is from Server 2016, so I assume it is ADFS v4.0.

Any thoughts? Am I missing something? Everything seems to work just fine until it gets back to the OAuth2 Proxy from ADFS.

Based on one answer, I may have used the wrong template when setting up the ADFS Application Group. Is there a specific template that should be used so that OAuth2 Proxy gets the answer it expects?

JackLThornton
  • 375
  • 3
  • 14

1 Answers1

0

This looks like you are using authorisation code grant flow.

In this flow, ADFS returns "code=" with a string (not a JWT) and you have to return it in the next call.

Maybe the implicit flow (same link) would be better in your case.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • I've reviewed the OAuth2 Proxy documentation and the properties of the application group, and I don't see a way to specify the flow to use on either end. The link you specified shows the same endpoint in ADFS (https://*adfs_server*/adfs/oauth2/authorize) for both flows; changing the endpoint was the only differentiator I could think of. – JackLThornton Oct 29 '21 at 18:12
  • OK, I see that I probably used the wrong "template" for the Application Group. None of the choices really match the use case (OAuth2 Proxy as an intermediary to ADFS on behalf of a web application). Which template should I use? – JackLThornton Oct 29 '21 at 20:15
  • https://nzpcmad.blogspot.com/2016/11/postman-authorisation-code-grant-on.html?m=1 and https://nzpcmad.blogspot.com/2016/03/adfs-webapp-and-web-api-on-server-2016.html – rbrayb Oct 31 '21 at 01:50