ADFS Client credentials grant flow with mulitple clients in an application group

1
votes

SETTUP:
We have an application which needs to authenticate itself to an API with help of ADFS. For this it seems suitable to use Client Credentials Grant Flow;
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#client-credentials-grant-flow

So in ADFS I created a new application group with a server application and a Web API with the following setup,

Server Application:
- Client Id: client1
- Client Secret: (some-guid)

Web API:
- Relying parties: client1
- Access control policy: Permit everyone
- Client permmissions --> Client Application: client1
- Permitted scopes: openid profile allatclaim

Then I request a token via https://.../adfs/oauth2/token with 

client_id=client1
client_secret=(some-guid) 
grant_type=client_credentials

I received a JWT token with aud and appid as expected: 

"aud": "microsoft:identityserver:client1"
"appid": "client1"

PROBLEM:
The problem becomes when I want to add another client to use with the API. So I change my setup to,

Server Application 1:
- Client Id: client1
- Client Secret: (some-guid)

Server Application 2:
- Client Id: client2
- Client Secret: (some-guid)

Web API:
- Relying parties: client1, client2
- Access control policy: Permit everyone
- Client permmissions --> Client Application: client1, client2
- Permitted scopes: openid profile allatclaim

Then when I request a JWT token with the credentials of client2 (client_id and client_secret) I get: 

"aud": "microsoft:identityserver:client1"

and the same if I use client1. I tried to add different relying parties in the Web API and it seems like it always sets the aud in the JWT to the first RP in the list (alphabetic order). For instance, if I also add 123 as a RP in the Web API then the "aud" becomes "microsoft:identityserver:123" for both client1 and client2.

If I instead remove all relying parties and add a the url to my api then the aud in JWT token becomes "urn:microsoft:userinfo".

From what I have read, the aud field in the JWT token should contain all principals who will process the JWT token. See https://tools.ietf.org/html/rfc7519#section-4.1.3.

QUESTIONS:
How should a setup my Application group to be able to have multiple clients?
Can ADFS sent multiple audiences instead of only the first one?
Or have I used the wrong approach?

Kind regards, Jesper

1
oauth-2.0jwtadfsadfs4.0

1 Answers

1
votes

Through trial and error I finally find how to solve this!

The relying parties in the Web API should only contain identifiers for the Web API (not the Server Applications) for instance this could be an address like "https://mywebapi.com".

Client permission --> Client Applications should contain the Server Applications that should be allowed to talk to this server.

Then when requesting a JWT token from ADFS you also need to include the parameter "resource" which value should be one of the identifiers of the Web API. Hence the call body of the call becomes 

client_id=client1
client_secret=(some-guid) 
grant_type=client_credentials
resource=https://mywebapi.com

I tried to search for the resource field to find out more about it but couldn't find any explanation or any site using it.