ADFS 3.0 OAuth2 access token

All replies

• 

  

  0

  Sign in to vote

  Could be a number of reasons.

  The grant is invalid, the token has expired etc.

  Please post the whole trail i.e. all requests / responses.

  • Marked as answer by Ho Quoc Phuong Tuesday, September 6, 2016 1:27 AM

  Monday, September 5, 2016 7:05 PM
• 

  

  0

  Sign in to vote

  Hi nzpcmad1,

  I use java language.In server ADFS error number 1021

  Exception details:

  Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException: MSIS9247: Received invalid OAuth access token request. The authorization code is invalid. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

     at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

     at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

     at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

     at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

     at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()

     at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)

     at Microsoft.IdentityModel.Tokens.JSON.X509AsymmetricSignatureProvider..ctor(X509AsymmetricSecurityKey x509Key)

     at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthSignatureManager.VerifySignature(Byte[] signingInput, Byte[] signature)

     at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateSignature(OAuthAccessTokenRequestContext tokenContext)

     --- End of inner exception stack trace ---

     at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateSignature(OAuthAccessTokenRequestContext tokenContext)

     at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext)

  System.Security.Cryptography.CryptographicException: Keyset does not exist

     at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

    at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

     at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

     at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

     at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()

     at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)

     at Microsoft.IdentityModel.Tokens.JSON.X509AsymmetricSignatureProvider..ctor(X509AsymmetricSecurityKey x509Key)

     at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthSignatureManager.VerifySignature(Byte[] signingInput, Byte[] signature)

     at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateSignature(OAuthAccessTokenRequestContext tokenContext)

  • first I request on server domain to check login

  request:

  GET /adfs/oauth2/authorize?response_type=code&client_id=ab762716-544d-4aeb-a526-687b73838a33&redirect_uri=https://localhost:8443/myProject/products&resource=https://localhost:8443 HTTP/1.1

  response:

  https://localhost:8443/myProject/products?code=Bn2DTsZFkkOnI9EsEgY5jA.S4yKPnnV0wgDAfNn306Ig8UZAdA.E3K7imnnLpn4GcnwJWFC5yDd5d_Oq9DwrV4B0FsMeY7T_TwgzdAy9CkjXSmJRhCp_PADoDSTko2IZFCgbfted5v8wjxogZf4urkIT-2AkKH4YkSTrpplbV6jz_WT6QsSu2KPhu6hEcz75LDmtbXNhpXXugwNi8PSw7y-0ocjnt1au5nu02Y_YJMjhQjdPIVtZre2Rpg4caN3foIvrQCLC47SHmilLExB4be3fDPHWZG_YCqMMuUpXnPlRe0nHkgH-KclPd2njJi_prBhCnVtydhI41xoXrQrKPo_FfCe8FOldqPqwSejSzHsDqwBKILum5dbpgL0GmN4iq6ImxWc_w

  • When i have the code.I request again to access token

  Request:

  POST /adfs/oauth2/token HTTP/1.1

  grant_type=authorization_code&code=Bn2DTsZFkkOnI9EsEgY5jA.S4yKPnnV0wgDAfNn306Ig8UZAdA.E3K7imnnLpn4GcnwJWFC5yDd5d_Oq9DwrV4B0FsMeY7T_TwgzdAy9CkjXSmJRhCp_PADoDSTko2IZFCgbfted5v8wjxogZf4urkIT-2AkKH4YkSTrpplbV6jz_WT6QsSu2KPhu6hEcz75LDmtbXNhpXXugwNi8PSw7y-0ocjnt1au5nu02Y_YJMjhQjdPIVtZre2Rpg4caN3foIvrQCLC47SHmilLExB4be3fDPHWZG_YCqMMuUpXnPlRe0nHkgH-KclPd2njJi_prBhCnVtydhI41xoXrQrKPo_FfCe8FOldqPqwSejSzHsDqwBKILum5dbpgL0GmN4iq6ImxWc_w&client_id=ab762716-544d-4aeb-a526-687b73838a33&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fstb-socialpayment-admin%2Fproducts

  Response:

  {"error":"invalid_grant","error_description":"MSIS9612: The authorization code received in 'code' parameter is invalid. "}

  Thanks

  
  

  • Edited by Ho Quoc Phuong Tuesday, September 6, 2016 1:31 AM

  Tuesday, September 6, 2016 1:27 AM
• 

  

  1

  Sign in to vote

  I notice that the redirect_uri is different across the messages?

  Have you configured ADFS correctly? - refer Securing a Web API with ADFS on WS2012 R2 Got Even Easier.

  Also good example - OAUTH2 Authentication with ADFS 3.0.

  Wednesday, September 7, 2016 8:50 PM
• 

  

  0

  Sign in to vote

  Thanks nzpcmad1.

  Friday, September 9, 2016 6:54 AM