Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ADFS as OAuth2 provider / Authentication server possible?

Tags:

authentication

authorization

oauth-2.0

adfs

adfs3.0

We want to setup ADFS 3.0 to enable OAuth2 based authentication. I have read lots of documentation, but am still unclear if this is supported.

Can ADFS be used as an authorization server for oauth, or is oauth2 support in ADFS only meant to work as a client to another authorization server?

Any help for setting up adfs as oauth provider/server is appreciated.

like image 283
Gobliins Avatar asked Aug 23 '16 08:08

Gobliins

People also ask

Does ADFS support oauth2?

ADFS issues access tokens and refresh tokens in the JWT (JSON Web Token) format in response to successful authorization requests using the OAuth protocol. ADFS does not issue SAML tokens over the OAuth authorization protocol inherently, but can be allowed using SecureW2.

What authentication protocol does ADFS use?

Kerberos is used as a preferred authentication method: In general, joining a client to a Windows domain means enabling Kerberos as default protocol for authentications from that client to services in the Windows domain and all domains with trust relationships to that domain.

Does ADFS provide authorization?

It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token.

Can oauth2 be used for authentication?

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user's data.

1 Answers

in ADFS 2012R2 (aka ADFS 3.0), we only support the authorization grant flow. The only scenario is for public clients (say a mobile app on iOS/Android/Windows) to access a RESTful service and authorizing via JWT tokens. You can see this at https://msdn.microsoft.com/en-us/library/dn633593.aspx

With ADFS 2016 (which will release imminently), you have the full Oauth/OIDC support. With this you can build web apps, single page apps, API's, multi-tiered app systems that require On-behalf-of support, confidential clients (with support for windows service accounts acting as confidential clients). You can check this out https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/ad-fs-development

like image 125
SamuelD MSFT Avatar answered Sep 21 '22 11:09

SamuelD MSFT
Sign in to Comment

Related questions

How do I replace the cakephp password hashing algorithm?
What is the best way to restrict access to a development website?
Intranet website authentication using windows logon
Does my PHP security algorithm effectively store user credentials?
Rails: Devise redirect to a stored location after sign in or sign up?
Socket Authentication Server?
FormsAuthentication.RedirectFromLoginPage Vs Response.Redirect
How to connect Mediawiki to a custom user-database?
Authenticate system without sessions - Only cookies - Is this reasonably secure?
Heroku, Devise: Getting 'NoMethodError (undefined method `to_key' for :user:Symbol)'
Authentication in Spring Security whith encoded password
In Play! 2.0 with Security trait how do I redirect to the original URL after login?
Creating a keytab to use with kinit in Windows
Asp.Net MVC Bundling on Login Page
How to create Password Digest for use with Web Service?
how to turn a hapi auth plugin to be optional
Laravel 5: How to add Auth::user()->id through the constructor ?
Spring Security with basic auth redirecting to /error for invalid credentials
Remove WWW-authenticate header from Basic authentication in Spring Boot
Extending Laravel 5.2 SessionGuard

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!