Wednesday, November 09, 2016

Postman : Authorisation Code Grant on Server 2016 - ADFS 4.0

I previously blogged on ADFS - Web App and Web API on Server 2016 TP4 ADFS 4.0.

This also shows the ADFS configuration

This is using Authorisation Code Grant in a .NET C# program to call the default template API i.e.

/api/values

Then I was asked how to do this with Postman which turned out to be less trivial than I thought.

As always, the Postman gist is here.

There is an authorisation request, a token request and the API request.

The VS project (as above) runs on my PC and has the web site and web service.

Running the authorisation request from a browser redirects to ADFS to authenticate and then returns a code in the query string..

As in "/?code=NjX0...".

We paste the code into the body of the second request (the code parameter) and then send it. This returns an access token, a refresh token and an ID token.

The Postman script automatically posts the access token into the third request (the API call) and this returns:

[
  "value1",
  "value2"
]

as we would expect.

The access token and the id token are encoded and can be decoded with something like jwt.io.

The refresh token is just a long GUID.

This results in:

Access token:

{
  "aud": "https://my-pc/TodoListService/",
  "iss": "http://my-adfs/adfs/services/trust",
  "iat": 1478562128,
  "exp": 1478565728,
  "apptype": "Confidential",
  "appid": "a07...e75",
  "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "auth_time": "2016-11-07T22:50:31.925Z",
  "ver": "1.0",
  "scp": "openid user_impersonation"
}

ID token:

{
  "aud": "a07...e75",
  "iss": "https://my-adfs/adfs",
  "iat": 1478562128,
  "exp": 1478565728,
  "auth_time": 1478559031,
  "sub": "v2O...nA=",
  "upn": "user1@dev.local",
  "unique_name": "DEV\\user1"

The ADFS wizard allows you to add claims to the web API part.

So I added the usual LDAP rules for email, given name and surname.

After this change, this resulted in a new access token.

{
  "aud": "https://my-pc/TodoListService/",
  "iss": "http://my-adfs/adfs/services/trust",
  "iat": 1478562556,
  "exp": 1478566156,
  "email": "user1@company.com",
  "given_name": "User",
  "family_name": "One",

  "apptype": "Confidential",
  "appid": "a07...e75",
  "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "auth_time": "2016-11-07T23:49:15.935Z",
  "ver": "1.0",
  "scp": "openid user_impersonation"
}

Enjoy!

2 comments:

Giorgos Iliopoulos said...

Thank you so much for all your posts on ADFS 2016. They have been a life saver :)

I have a question regarding the enriched AccessToken which contains the added LDAP claims:
"email": "user1@company.com",
"given_name": "User",
"family_name": "One",

Is is possible to access these added claims from the WebApp without making any request to the WebAPI?

Thank you,
George

nzpcmad said...

Sort of - as per http://nzpcmad.blogspot.co.nz/2017/05/adfs-augmenting-default-jwt-with.html.

It's a web API that's not a web API!

Just FYI - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-development