OAuth 2 Authorization Code grant in ADFS - nordvall/TokenClient GitHub Wiki
The Authorization Code grant is supported by ADFS.
1. Client visits the authorization endpoint
Request
GET /adfs/oauth2/authorize?response_type=code&client_id=MyClient&resource=urn%3Apepsi%3Atest&redirect_uri=http%3A%2F%2Flocalhost%2F HTTP/1.1
Host: your.adfs.server
Parameters
| parameter | value | example |
|---|---|---|
| response_type | the OAuth 2 response type | always code in this case |
| client_id | the Id of the Client wanting an access token, as registered in the ClientId parameter when registering the Client in ADFS. | MyClient |
| resource | The resource server that the Client wants an access token to, as registered in the Identifier parameter of the Relying Party trust | https://myapplication |
| redirect_uri | The redirect uri that is associated with the Client. Must match the RedirectUri value associated with the Client in ADFS. | https://localhost |
See ADFS Administration for more information about registering clients.
Response:
Internet Explorer browsers are redirected to adfs/oauth2/authorize/wia, an endpoint presumably able to authenticate with the Windows Integrated Authentication protocol (NTLM). This allows for single sign on experience in Microsoft environments.
Other browsers are presented with a HTML login form.
2. User logs in
User logs in, but does not need to give any approval. After the user is authenticated, the Client browser is redirected to the redirect_uri.
Response:
HTTP 302 Found
Location: https://redirecturi/?code=thecode
The Client can now grab the authorization code from the code parameter.
3. Client request access token
Request:
POST /adfs/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: your.adfs.server
Content-Length: 624
grant_type=authorization_code&client_id=MyClient&redirect_uri=http%3A%2F%2Flocalhost%2F&code=thecode
Parameters:
| parameter | value | example |
|---|---|---|
| grant_type | the OAuth 2 grant type | always authorization_code in this case |
| client_id | the Client id of the requesting client, must match the client_id used to retrieve the authorization code | MyClient |
| redirect_uri | the redirect uri of the CLient, must match the redirect_uri from previous step | |
| code | the OAuth authorization code | abc123 |
Note that the following parameters are not necessary in this step:
- resource
- client_secret (ADFS does not support client secrets).
Response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token":"thetoken",
"token_type":"bearer",
"expires_in":3600
}
The access_token is in JWT format, and can be used for 3600 seconds. Because the Client did not authenticate itself with any client secret, no refresh token is issued.