locked
Windows integrated authentication for confidential clients RRS feed

  • Question

  • I'm trying to setup a web API application accessible through OAuth, and I want to have an application that can access the API with its own credentials.

    I've created an Application Group with a Web API application (for my API) and a Server Application (for the client application).

    If I configure the Server Application with a client id and client secret, I can authenticate to the API with this code:

    var request = new HttpRequestMessage(HttpMethod.Post, "https://my.adfs.server/adfs/oauth2/token");
    request.Content = new FormUrlEncodedContent(new Dictionary<string, string> {
        { "client_id", "my_client_id" },
        { "client_secret", "my_client_secret" },
        { "grant_type", "client_credentials" },
        { "redirect_uri", "http://bogus" }
    });
    
    string token = null;
    using (var tokenClient = new HttpClient()) {
        var response = tokenClient.SendAsync(request).Result;
        response.EnsureSuccessStatusCode();
        string content = response.Content.ReadAsStringAsync().Result;
        var payload = JObject.Parse(content);
        token = payload.Value<string>("access_token");
    }
    
    using (var apiClient = new HttpClient()) {
        apiClient.BaseAddress = new Uri("https://my.rest.api/");
        apiClient.DefaultRequestHeaders.Clear();
        apiClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
        var requestTask = apiClient.GetAsync("api/some/path");
        requestTask.Wait();
        var apiResponse = requestTask.Result;
    }
    

    What I would like to do is to have the application use integrated Windows authentication, so that I don't need to distribute the secret.

    I've tried to set up the "AD user principal name" property in the server application settings:

    However, I cannot seem to make it work. If in the token request I use grant_type = client_credentials and specify the client_id only, I get a Bad Request response, and in the event log I see an event 1021 with a "client credentials are missing or found empty" message.

    What would be the proper way to request a token using Windows authentication in this scenario?

    Is there an example of use of the "AD user principal name" option in the application group? I cannot seem to find any documentation about it.


    Paolo Tedesco - http://cern.ch/idm

    Friday, September 15, 2017 11:36 AM

All replies

  • Did you solve the problem? And if so: how :-)

    Thanks

    Jochen

    Saturday, April 21, 2018 10:38 PM
  • Hi Jochen,

    You have to specify the parameter "use_windows_client_authentication" = "true".

    The reference in the documentation is at https://msdn.microsoft.com/en-us/library/mt223851.aspx.

    Cheers,

    Paolo


    Paolo Tedesco - http://cern.ch/idm

    Monday, April 23, 2018 7:04 AM
  • Hello Paolo,

    Thanks this got me one step further. No I can see the first step of the 401 handshake but then the request is aborted and the ADFS log shows 'MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/token to process the incoming request.'. Perhaps I'm calling it wrong but at least the NTLM handshake starts and the complaint on the missing client secret is gone - so IT CHANGED SOMETHING :-)

    For now I've to move to another ADFS topic but perhaps I've to come back to this one.

    Regards

    Jochen

    Monday, April 23, 2018 7:57 PM
  • Jochen,

    I'm facing the same issue.
    Did you find a solution for this?

    Kind regards,
    Andreas


    AN

    Friday, March 1, 2019 12:23 PM