Get UserInfo from ADFS in UWP with ADAL

0
votes

I am trying to authenticate the user with ADFS and I am using ADAL. Authetication seems to work since I can get the AccessToken. The problem is that looking at the code authResult contains a UserInfo where all properties (for instance GivenName or FamilyName) are null.

AuthenticationContext authContext = null;
AuthenticationResult authResult;
try
{
    authContext = new AuthenticationContext(authority, false);
    authResult = await authContext.AcquireTokenAsync(resource, clientId, new Uri(returnUri),
                    new PlatformParameters(PromptBehavior.Auto, false));
}

Those values are null because of ADFS configuration? I noted that decoding the AccessToken returned I can read User information. But I don't think that decoding the JWT Token is the right way to achieve those information. Do you have a better suggestion?

I have also seen people getting information by using claims, but I don't know exactly how to use it on UWP, since all the sample I found used

ClaimsPrincipal claimsPrincipal = System.Threading.Thread.CurrentPrincipal as ClaimsPrincipal;

But System.Threading.Thread is not available on UWP.

2
authenticationuwpadaluserinfo

2 Answers

0
votes

Normally, the access_token is used in Oauth and OpenID connect scenarios and intended to be consumed by the resource. To identify the user we should use the id_token( verify the token and extract the claims abut user by decoding the token). Please refer below about the usage of tokens:

  • id_token: A JWT token used to represent the identity of the user. The 'aud' or audience claim of the id_token matches the client ID of the native or server application.
  • access_token: A JWT token used in Oauth and OpenID connect scenarios and intended to be consumed by the resource. The 'aud' or audience claim of this token must match the identifier of the resource or Web API.
  • refresh_token: This token is submitted in place of collecting user credentials to provide a single sign on experience. This token is both issued and consumed by AD FS, and is not readable by clients
    or resources.

And you can refer the link below about the native client to web API scenario for ADFS:

AD FS Scenarios for Developers - Native client to Web API

0
votes

Depending on the ADFS version of your server. If your company is using Windows Server 2012 R2, then it is ADFS 3.0. I did successfully integrate with SSO login created by the admin of company I am working in. You should refer to this article before venturing in : https://docs.microsoft.com/en-us/previous-versions/adfs-windows-server-2012r2/dn660968(v=msdn.10). Note : you don't even need to make a web api of ToDoList.

using only GetAuthorizationHeader() and authenticationContext.AcquireTokenAsync(), you could obtain the token by asking the user to authorize their credentials and decrypt the receive token.

This is sample of code I did:

authority = https://contoso.com/adfs/ls (Endpoint from the ADFS metadata)

resourceURI = https://localhost:44300/ (Relying party, ask your ADFS admin to register)

clientID = it is recommended to use Package.appmanifest's package name from Packaging tab. As long as it is a unique ID.

clientReturnURI = use the following code to obtain the clientReturnURI (also available in the article in the link) :

string clientReturnURI = string.Format("ms-appx-web://Microsoft.AAD.BrokerPlugIn/{0}",WebAuthenticationBroker.GetCurrentApplicationCallbackUri().Host.ToUpper());

AuthenticationContext ac = new AuthenticationContext(Authority_Uri, false); AuthenticationResult ar = await ac.AcquireTokenAsync(resourceURI, GlobalVar.clientID, new Uri(clientReturnURI), new PlatformParameters(PromptBehavior.Always, true));

            var jwt = new JwtSecurityToken(ar.AccessToken);
            string unique_name = jwt.Claims.First(c => c.Type == JwtRegisteredClaimNames.UniqueName).Value;

You can replace JwtRegisteredClaimNames.UniqueName with anything else. It depends what info/claims that is available in the access token. You should inspect the available info in the jwt by placing breakpoint at var jwt. Or you can decrypt the access token in the AuthenticationResult.AccessToken in this website : https://jwt.ms/

Lastly, you need to install certificate from your ADFS admin and install the certificate across your web and UWP server to allow the application able to trust execute the actions.