Not getting user identity in JWT used in OAuth2 access token from ADFS 3.0

3
votes

I'm using the authorization flow supported in ADFS 3.0 in the following way,

  1. Browser connects to MyService
  2. MyService redirects browser to ADFS for OAuth
  3. Browser connects to ADFS for OAuth Authorization code
  4. ADFS authenticates the users through the browser
  5. ADFS redirects the browser back to MyService along with authorization code
  6. Browser connects to MyService and passes the authorization token
  7. MyService connects to ADFS and gets the access token from the authorization token

However, the access token is missing the user identity and MyService is unable to identify the user.

The access token has the following JWT information.

{ "aud": "urn:relying:party:trust:identifier",
"iss": "http://ms.cloud.com/adfs/services/trust",
"iat": 1452875046,
"exp": 1452878646,
"auth_time": "2016-01-15T15:35:20.248Z",
"authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"ver": "1.0",
"appid": "my-app" }

Can someone inform me as to how can MyService identify the user once it gets the access token from ADFS?

2
oauth-2.0adfs3.0

2 Answers

2
votes

claim rules in relying party trust need to define the claims to be sent as part of JWT token. Once we added the claim rules for email, name etc, the information was added to the JWT access token.

1
votes

  1. Edit the Claims Provider Trust for Active Directory in ADFS to pass though email, name, etc.

    • Open ADFS. Click on "Claims Provider Trusts". Click on "Active Directory". enter image description here
    • Then, click "Edit Claim Rules" on the right. enter image description here You should now see the Edit Claims dialog. enter image description here For instructions re: adding claims, refer to this video. Skip to time index 2:40. Edit Claims Provider Rules

  2. Edit the Relying Party Trust's claims. For email, name, etc., add a matching Issuance Transformation Rule using LDAP as the rule type and select Active Directory as the Attribute Store source. Do this by repeating the the above steps for the relying party trust associated /w your JWT client. enter image description here To add relying party claims, refer to this video and skip to time index 14:35 Edit Relying Party Claim Rules

I recommend passing SAM-Account-Name through as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. I vaguely remember WIF having issues /w the ClaimsPrincipal if you don't.

Also, you must enable claims support on Active Directory if you haven't already done so.