none
Angular 6 and ADAL

    Question

  • Hi

    i m using following ADAL for angular library **adal-angular4 **

    I have angular6 based app with  ADAL library for my app for my on prem ADSFS and login works and i am able to get token. But i want to get back custom claim like email address , first name , last name . So as per ADFS 2016 doc i need to have resource parameter. So here is my config object

    config: {
    instance: 'myadfsserver https link',
    tenant: 'adfs',
    clientId: 'my_client_id',
    resource : 'myresource/',
    redirectUri: window.location.origin ,
    //extraQueryParameter : 'resource=myresource/',
    extraQueryParameter : 'use_windows_client_authentication=true',
    postLogoutRedirectUri : 'myurl',

    endpoints: {
    'myadfsserver https link  ': '00000000-0000-0000-0000-000000000000'

    }

    so when i click login in

    my app the URL constructed doesn't have ?resource=myresource
    upon logout its not redirecting to my postLogoutRedirectUri configured
    when i uncomment extraQueryParameter line &resource=myresource shows up but jwt token doesn't have my custom claims :(
    

    is there any other way to get custom claims ?

    Thanks

    ** From my ADFS setup we have configured email address , first name , last name  in pass through claims

    • Moved by YASWANTHM-MSFTMicrosoft employee Thursday, September 6, 2018 2:46 PM Moving the thread from Azure AAD for better Exposure and Guidance from the Right Experts.
    Tuesday, September 4, 2018 2:38 PM

All replies

  • Could you share the document which you are following and elaborate your scenario with more information ? Also, could you share the error code with the screenshot?
    Tuesday, September 4, 2018 8:37 PM
  • ok my logout issue is fixed. I found solution from https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/677.

    So only thing remain is claims. So my ADFS Admin has setup server application and web api following

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-oauth-confidential-clients-with-ad-fs

    plus we have configured following claims along with first name , Last name. and email address. in screen shot i did not show email address , first name and last name


    on permitted scopes we have following + email and and alatclaims.

    but my id_token doesnt have any extra values like first name , last name email adress etc . I also tried https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/custom-id-tokens-in-ad-fs but no luck.

    As i m pretty new to this if some one could guide me how to test it manually first via postman that would rule out adfs setup issues ( i guess) .

    About scenario Angular 6 UI app --> adfs 2016 --> get id_token with email address , first name , last name (may be groups) . There is no error as login works and generated token doesnt have additonal values which i m looking for.

    Let me know what more information i can provide.

    Tuesday, September 4, 2018 11:40 PM
  • oh and i cant share any screen shots as account isnt verified :) now you can surely say i m new to this lol
    Tuesday, September 4, 2018 11:41 PM
  • If you are not allowed to post images, you may verify your account here:

    Ref:-  https://social.technet.microsoft.com/Forums/en-US/090972cb-b81f-498f-b718-948caca975c4/verify-account-41?forum=reportabug 


    Wednesday, September 5, 2018 11:10 AM
  • let me see if i can attached some screen shots.

    from scopes i have enabled including those highlighted here.

    Wednesday, September 5, 2018 1:14 PM
  • For some reason i still cant paste screen shots.Please let me know what more information i should provide.
    Wednesday, September 5, 2018 5:59 PM
  • As i cant still share screen shares will cmd line output help ?

    Here is output of

    Get-AdfsServerApplication - -Application testoauth

    ADUserPrincipalName                  :
    ClientSecret                         : ********
    JWTSigningCertificateRevocationCheck : None
    JWTSigningKeys                       : {}
    JWKSUri                              :
    Name                                 : testauth - Server application
    Identifier                           : *****************
    ApplicationGroupIdentifier           : testauth
    Description                          :
    Enabled                              : True
    RedirectUri                          : {https://localhost:8443/login}

    give me some time to get Get-AdfsWebApiApplication output. so once again just reminding that my issue is with id_token doesnt have additional values like first name . last name email address etc. Or if i can mail you screen shot in word document let me know.


    Wednesday, September 5, 2018 7:00 PM
  • https://medium.com/the-new-control-plane/the-mystery-of-the-missing-adfs-jwt-claims-7658d9cdeaac

    Monday, September 10, 2018 7:36 PM
    Moderator
  • Really Sorry for late reply. I tried this and still doenst work :( you have some time to do screen share with me ? I dont care for timezone :)
    Friday, December 7, 2018 3:12 AM
  • Roy

    also one more thing. My ADFS is on prem. In your example i m seeing you are accessing ADFs from azure. Does that make any difference ? 

    FYI "We have a more current cumulative update KB4103720 from 5/8/18 installed on the ADFS servers"

    Raj

    Friday, December 7, 2018 3:50 PM
  • so https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/custom-id-tokens-in-ad-fs  if i use form_post my angular app gives error can not post to / . there is no one who has got custom claims suing adfs oauth and angular ?
    22 hours 35 minutes ago