i setup ADFS3.0 for OAuth2 and i finally got the "Access-Token" on my Client-APP.
Somethig like this:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token":"<access_token>",
"token_type":"bearer",
"expires_in":3600
}
Token consists of a header part, a payload and a signature.
Now i sent the request with the Token to my resource server. And i want to validate the Token from my resource server against ADFS (Auth Server and IDP).
This is my certificate on adfs:
CertificateType : Token-Signing
IsPrimary : True
StoreLocation : CurrentUser
StoreName : My
Thumbprint : xyz
How can this be done?
Update: Some info about the Token:
Header:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "abc"
}
Payload:
{
"aud": "https://serverurl",
"iss": "http://.../adfs/services/trust",
"iat": 1473063317,
"exp": 1473066917,
"auth_time": "2016-09-05T08:15:17.875Z",
"authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"ver": "1.0",
"appid": "some-uid"
}
Signature:
{
RSASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
Ceritifate/secret
}
Planned Authorization Grant Flow (short version no auth grant code details):
We have our own client app (issuer) that requests a token from the ADFS (auth + idp) then sends the token+request to the resource server and the resource server should then the validate token against ADFS. What i am missing, is some endpoint from the ADFS if the sigature/token is valid. Thers's an /adfs/oauth2 endpoint on the ADFS server (where i got also the acces grant from), but there's somewhat a lack of documentation from microsoft...
