locked
Does customizing id_token in ADFS 2016 support server app and hybrid flow code+id_token RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi all,

    Following technet article on customizing id_token with ADFS 2016, it works using a native app (no client secret and limited to implicit flow).

    My scenario is quite different as I would like to use an hybrid flow (or code flow) with server application.

    I have a c# web application and a c# web api. The web application should receive the id_token with custom claims and use the code to retrieve an access token (with ADAL library) allowing it to call the web api latter.

    For now, the only workaround I found is to request an access_token for the resource with an equal identifier as the web clientId and extract claims to augment the identity created from the id_token and resign the user.

    I use ADAL and aspnet core openidconnect middleware.

    Any guidance would be appreciated


    Wednesday, November 2, 2016 5:49 PM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    There's a series of posts here (you've probably seem them?)

    I've written up a series of scenarios here.

    Page down through them - I've covered a number of cases.


    Wednesday, November 2, 2016 6:15 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes,

    I follow these articles (especially Customizing the Id_Token in OpenID Connect Scenarios) but I cannot make it work with server application or website.

    I change my code to implicit flow and configured a native app. In this case, the rule claims in the associated web api are called and the id_token is correctly populated. But then, I cannot obtain a user impersonated access token for another api as it would required a UserAssertion built from an access token the implicit flow doesn't permit to gain at the first place.

    To go further, in the native app case, if the native app is not authorized in client permissions, then ADFS returns an error "The+client+is+not+allowed+to+access+the+requested+resource". Meaning that the process to populate id_token found the web api and check permission before evaluating claim rules.

    This is not the case with server application and the id_token is returned without even trying to found a resource of same Id to populate the id_token. Wether the response type is "code" (code grant flow) or "code+id_token" (hybrid flow).



    Thursday, November 3, 2016 9:36 AM