locked
ADFS 4.0: Client credential RRS feed

  • Question

  • Hi,

    There is one scenario we can't get working: getting an access token based upon the user currently logged in. The documentation and samples suggest the following should work:

                         var accessTokenResult = await authContext.AcquireTokenAsync("resourceName","native Client ID", new UserCredential());

      However, on the client side I get an XML parse error and on the server side I get a MSIS7065: There are noregistered protocol handlers on path adfs/oauth2/token to process the incoming request. at Microsof.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)         

    After this I added a server application, required windows integrated and added my service account. Using HttpClient I am now trying to build a request, sent with default credentials:

      var request = new HttpRequestMessage
                        {
                            Method = HttpMethod.Post,
                            RequestUri = new Uri(config.TokenEndpoint)
                        };

                          request.Headers.Add("client-request-id", Guid.NewGuid().ToString());
                        request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
                           request.Method = HttpMethod.Post;
                        request.Content = new FormUrlEncodedContent(new Dictionary<string,string>{
                                                 { "client_id", "The Client ID"},
                            { "resource",  "the resource"},
                            // { "grant_type", "srv_challenge" },
                            {"grant_type", "client_credentials" },
        { "redirect_uri", "http://myredirect" },
           { "use_windows_client_authentication", "true" },
                          {"Scope", "openid" }
                        });
                        var res = await httpClient.SendAsync(request);

    None of the grant types seem to work however, except for srv_challenge, which gives back a nonce. Not sure however on how to go from nonce to a an access token. My goal is the end getting a JWT bearer token for on-behalf-of calls. Documentation around WIA and token endpoints appears however to be far and few between. https://blogs.technet.microsoft.com/cloudpfe/2017/10/16/oauth-2-0-confidential-clients-and-active-directory-federation-services-on-windows-server-2016/ is the best I could find, but it is missing the crucial piece of the actual content sent to the ADFS server.

    • Edited by mrent Monday, August 27, 2018 8:42 PM
    Monday, August 27, 2018 5:31 PM