401 when calling UserInfo using ADFS 4.0 and OpenID Connect

5
votes

I've successfully created a new Application Group with a Server Application as well as a Web API and the OpenID Connect protocol is working w/out any issues until I try and make a call to UserInfo. The Relying Party identifier is the same GUID as Client ID of the Server Application (per the examples I have read online). I get the error below when trying to call UserInfo:

WWW-Authenticate: Bearer error="invalid_token", error_description="MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:21660d0d-93e8-45db-b770-45db974d432d' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'."

Any help would be greatly appreciated.

2
adfsopenid-connectwindows-server-2016
What grant are you using? Postman flow - gist.github.com/nzpcmad/ab979533ba673ae837d7e3a607b9d5c1 - rbrayb
parameters.Add("grant_type", "authorization_code"); - Frank Z

2 Answers

0
votes

I also recently got this error using ADFS with the ASP.NET Core OpenIDConnect providers. In my case, disabling the UserInfo request altogether resolved the issue:

var openIdOptions = new OpenIdConnectOptions
{
  ...
  GetClaimsFromUserInfoEndpoint = false
};

After doing this, I still had the claims that I needed for my app - email, SID, name, etc. I'm sure there are scenarios where this would not work, but it's good to know you might not need /userinfo at all. I would still be interested in knowing why the token returned from ADFS can't be used to call /userinfo, and how to fix it in ASP.NET OpenIDConnect providers.

-1
votes

Just set the resource accordingly:

options.Resource = "urn:microsoft:userinfo";