I have an angular 2 app, a Web API with OWIN Pipeline (.NET 4.6) and an ADFS 3.0. Every user who uses the angular 2 app needs to be authenticated and authorized via ADFS and if he's already logged in the domain he should be logged in to the Application automatically (Single Sign On)
Something like that:
I read tons of links and code on how to achieve that but I fail to put the pieces together. As far as I understand ADFS 3.0 only supports OAuth 2 Authorization Code Flow which is either not supported or advised with a JS Application respectively on the Web per se. I'm not quite sure which it is but the fact is I can't/shouldn't use it.
I understood that therefore I have to implement somekind of Authentication server on my Webserver where my Web API is (maybe IdentityServer 3 or something "homemade").
This lead me to think that I should use ADFS as an external login like google, or facebook which would lead to the following workflow
- User requests token
- Web API checks if user is already logged in to the domain
- Logged in?
- forward request to ADFS and verify.
- ADFS returns OAuth Token to WebAPI
- not logged in?
- show login mask to user
- forward request to ADFS and verify.
- ADFS returns OAuth Token to WebAPI
- Web API return OAuth Token to user
Is this even correct or am I completly off?
Anyway I fail to put the pieces to together. I saw a lot of code which creates JWT Tokens in Web API (but doesn't communicate with ADFS) or communicates with ADFS via WS-Federation. Additionally ADFS' OAuth 2 implementation seems to a bit special which adds another layer of complexity.
so my question would be:
How can I provide OAuth tokens to the user while authenticating against ADFS?
If you need any additional information I happily provide it
