PHP + ADFS for SSO (via OAuth) - How to setup ADFS?

Question

Im trying to use ADFS for SSO on a project. The project is on PHP and Im trying to use OAuth for this.

So what are the steps for setting up ADFS to work with OAuth2? I have no idea about ADFS and cant get any direct guide on OAuth2 settings there.

Thanks a lot.

Answer 1

I see that the question is quite old. But in case if other people will get here, I have some answer which should be good for March 2019.

Let me start with a general overview.

SSO

SSO could be done with personal Google, Facebook, GitHub, Twitter, Microsoft accounts. After logging in to your account, you can log in to other systems (e.g. WordPress or any other) without password (if other systems integrated with that Identity Provider) and you give the consent (see picture below).

There are services whose main focus is to provide Identity Provider / SSO capabilities (e.g. Okta, Auth0, Google Cloud Identity, Azure Active Directory, AWS IAM).

In the corporate network, the user could be silently signed in based on the AD account without entering credentials via ADFS.

Actually, ADFS supports different authentication protocols like SAML, WS-Fed, and OAuth. But nowadays usually services implement OpenID Connect which works on top of the OAuth 2.0 protocol.

OpenID Connect flows

There is a number of authentication flows that OpenID Connect defines. Most preferable ones are:

1. Authorization Code Flow with PKCE (single-page applications, native applications)

If you are using oidc-client-js, you should use response_type=code to use PKCE.

Public native app clients MUST implement the Proof Key for Code Exchange (PKCE RFC7636])

https://www.rfc-editor.org/rfc/rfc8252#section-6

Note: although PKCE so far was recommended as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-12#section-3.1.1

2. Implicit flow considered as Not recommended:

Clients SHOULD NOT use the implicit grant and any other response type causing the authorization server to issue an access token in the authorization response

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-09

3. Client credentials flow. For service-to-service communication.

How to configure ADFS?

You can find quite detailed documentation with illustrations for "Native app scenario" at Microsoft Docs: Native client with ADFS.

If you are not using ADFS, you can play with the PKCE flow setup in the playground.

JavaScript frontend

Never store client secrets in public applications like JS frontend or mobile apps. It's not applicable to PKCE flow but just in case.

If you have a modern SPA application (e.g. Angular or React), it means that frontend should have only client_id to enable end-user to obtain the JWT access_token in a browser via ADFS. You don't need any client_secret.

oidc-client-js could help you with that. Make sure that code_verifier is being sent along with a token request (it means that you are using more secured PKCE flow).

PHP backend

And on PHP side you'll need to validate the access token. You can implement the workflow on your own according to that article. But it's better to use OpenID certified library which you can find on this page (not only for PHP): https://openid.net/developers/certified/

So, for PHP there is only one: phpOIDC.

Authentication

OAuth 2.0 can help you only with authentication (to identify the user's identity).

Most probably you would like to have different permissions for different users. And OpenID Connect implementation in ADFS provides you the ability to map AD groups to token claims. Therefore, you can decode JWT access token on the backend and implement claims-based authorization.

To use JWT claims be sure to properly validate the authenticity of the token and issuer:

• Validate JWT signature using public key
• Check issuer for the proper issuer (Identity Provider)
• Check aud (audience) for the proper client ID
• Check exp (expiration timestamp)
• Check claims