locked
ADFS 3.0 OAuth2 access token RRS feed

  • Question

  • Hi All,

    I receive response from server domain after login with code:

    https://localhost:8443/myProject/products?code=Bn2DTsZFkkOnI9EsEgY5jA.km58JFfV0wjrAJ56sckumpqIlbQ.gGQ804AiyxfZKYmitUgAnsoIVNt74cHl6aZTNtMCtPvEC3SS2yZvAReGfjHNKainSbH_Z6w_1dcWPqizV1a8FjWUozKybXnSQXHsWQsyAEisqKXCXc5aTacJEzxLQkS-XuTgvlW9FG9ov6et_uYlcQBmIQsi_Z7NYnmuhPXL1GmUl7VLafivVY_xblViWOZTlyLe3mWCUnTBQtFTU7GimHn5mXHnb5bNnbO7lumgdPK5RlSGlUCMPVuVmFsPm6KqOg4bkws36QmRlteEtWz-S12IdbcS7URr2n8S28MMgclEAGCwf2Z26LUe1P71K-NAZD4vmKRn2EVD0gDcVT8CCA

    After I request again to response token with this code.But server response

    HTTP/1.1 400 Bad Request

    Cache-Control: no-store

    Pragma: no-cache

    Content-Length: 132

    Content-Type: application/json;charset=UTF-8

    Server: Microsoft-HTTPAPI/2.0

    Date: Mon, 05 Sep 2016 08:56:41 GMT

    Connection: close

    {"error":"invalid_grant","error_description":"MSIS9612: The authorization code received in 'code'parameter is invalid. "}

    Thank you very much



    Monday, September 5, 2016 9:13 AM

Answers

  • Could be a number of reasons.

    The grant is invalid, the token has expired etc.

    Please post the whole trail i.e. all requests / responses.

    • Marked as answer by Ho Quoc Phuong Tuesday, September 6, 2016 1:27 AM
    Monday, September 5, 2016 7:05 PM

All replies

  • Could be a number of reasons.

    The grant is invalid, the token has expired etc.

    Please post the whole trail i.e. all requests / responses.

    • Marked as answer by Ho Quoc Phuong Tuesday, September 6, 2016 1:27 AM
    Monday, September 5, 2016 7:05 PM
  • Hi nzpcmad1,

    I use java language.In server ADFS error number 1021

    Exception details:

    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException: MSIS9247: Received invalid OAuth access token request. The authorization code is invalid. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

       at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()

       at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)

       at Microsoft.IdentityModel.Tokens.JSON.X509AsymmetricSignatureProvider..ctor(X509AsymmetricSecurityKey x509Key)

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthSignatureManager.VerifySignature(Byte[] signingInput, Byte[] signature)

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateSignature(OAuthAccessTokenRequestContext tokenContext)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateSignature(OAuthAccessTokenRequestContext tokenContext)

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext)

    System.Security.Cryptography.CryptographicException: Keyset does not exist

       at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)

      at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

       at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

       at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

       at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()

       at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)

       at Microsoft.IdentityModel.Tokens.JSON.X509AsymmetricSignatureProvider..ctor(X509AsymmetricSecurityKey x509Key)

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthSignatureManager.VerifySignature(Byte[] signingInput, Byte[] signature)

       at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ValidateSignature(OAuthAccessTokenRequestContext tokenContext)

    • first I request on server domain to check login

    request:

    GET /adfs/oauth2/authorize?response_type=code&client_id=ab762716-544d-4aeb-a526-687b73838a33&redirect_uri=https://localhost:8443/myProject/products&resource=https://localhost:8443 HTTP/1.1

    response:

    https://localhost:8443/myProject/products?code=Bn2DTsZFkkOnI9EsEgY5jA.S4yKPnnV0wgDAfNn306Ig8UZAdA.E3K7imnnLpn4GcnwJWFC5yDd5d_Oq9DwrV4B0FsMeY7T_TwgzdAy9CkjXSmJRhCp_PADoDSTko2IZFCgbfted5v8wjxogZf4urkIT-2AkKH4YkSTrpplbV6jz_WT6QsSu2KPhu6hEcz75LDmtbXNhpXXugwNi8PSw7y-0ocjnt1au5nu02Y_YJMjhQjdPIVtZre2Rpg4caN3foIvrQCLC47SHmilLExB4be3fDPHWZG_YCqMMuUpXnPlRe0nHkgH-KclPd2njJi_prBhCnVtydhI41xoXrQrKPo_FfCe8FOldqPqwSejSzHsDqwBKILum5dbpgL0GmN4iq6ImxWc_w

    • When i have the code.I request again to access token

    Request:

    POST /adfs/oauth2/token HTTP/1.1

    grant_type=authorization_code&code=Bn2DTsZFkkOnI9EsEgY5jA.S4yKPnnV0wgDAfNn306Ig8UZAdA.E3K7imnnLpn4GcnwJWFC5yDd5d_Oq9DwrV4B0FsMeY7T_TwgzdAy9CkjXSmJRhCp_PADoDSTko2IZFCgbfted5v8wjxogZf4urkIT-2AkKH4YkSTrpplbV6jz_WT6QsSu2KPhu6hEcz75LDmtbXNhpXXugwNi8PSw7y-0ocjnt1au5nu02Y_YJMjhQjdPIVtZre2Rpg4caN3foIvrQCLC47SHmilLExB4be3fDPHWZG_YCqMMuUpXnPlRe0nHkgH-KclPd2njJi_prBhCnVtydhI41xoXrQrKPo_FfCe8FOldqPqwSejSzHsDqwBKILum5dbpgL0GmN4iq6ImxWc_w&client_id=ab762716-544d-4aeb-a526-687b73838a33&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fstb-socialpayment-admin%2Fproducts

    Response:

    {"error":"invalid_grant","error_description":"MSIS9612: The authorization code received in 'code' parameter is invalid. "}

    Thanks


    Tuesday, September 6, 2016 1:27 AM
  • I notice that the redirect_uri is different across the messages?

    Have you configured ADFS correctly? - refer Securing a Web API with ADFS on WS2012 R2 Got Even Easier.

    Also good example - OAUTH2 Authentication with ADFS 3.0.

    Wednesday, September 7, 2016 8:50 PM
  • Thanks nzpcmad1.

    Friday, September 9, 2016 6:54 AM