Parse ADFS token in Java

0
votes

I set up login in web application with ADFS.

Authorization request looks like:

https://sso.company.net/adfs/oauth2/authorize?response_type=code&client_id=ruleman&resource=urn:ruleman:1&redirect_uri=http://ruleman.net/authorize

ADFS performs authorization and redirects to the app:

http://ruleman.net/authorize?code=aaaaaaaa.bbbbbbbbb.ccccccccc

One knows that the token from code parameter contains claims such as username etc. How to decode the token and extract the claims?

2
javaoauth-2.0single-sign-onadfs

2 Answers

0
votes

The flow follows the OAuth 2.0 standard. Please note I am not expert in ADFS, however I know OAuth 2.0 well.

The authorization flow consists of multiple options with different steps. In your case you are using the code profile (specifying response_type=code). The authorization step you did is only first step, there are a few steps to follow

you can search on "OAuth 2.0 with ADFS" e.g. http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

Authorization request

../authorize?response_type=code&client_id=ruleman &resource=urn:ruleman:1&redirect_uri=http://ruleman.net/authorize

you will receive an OAuth code (usually not aving any information value, it is only a code)

http://ruleman.net/authorize?code=aaaaaaaa.bbbbbbbbb.ccccccccc

code parameter contains claims such as username etc

This is wrong assumption

Using this code you need to call a token service from backend to receive an access token (e.g. using HttpClient).

POST /adfs/oauth2/token HTTP/1.1

grant_type=authorization_code&client_id=some-uid-or-
other&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FgetAToken&code=thecode

you will receive an access token. This step ensures you application is really authenticated with the identity provider it knows.

According to the post linked above:

The interesting bit is the itself, it is in fact a JSON Web Token (JWT). That’s to say a signed representation of the user’s identity and other grants.

I am unable to confirm that, but you can try. Usually (with other identity providers) the token is only a token and the client neeeds to call a "user information" service to get any user identity claims, however seems the ADFS gives you some shortcut.

Then you can use any JWT library to decode/validate the jwt token (com.auth0/java-jwt/3.0.1)

com.auth0.jwt.interfaces.DecodedJWT jwt = com.auth0.jwt.JWT.decode(token);
1
votes

The Postman flow for this - refer Postman : Authorisation Code Grant on Server 2016 - ADFS 4.0.

This code grant is the flow you have described.

As per the other answers:

  • Use the authorize endpoint
  • Get the code
  • Send the code to the token endpoint
  • Get the JWT

Use jwt.io to examine the JWT.