Skip to content

OAuth 2 Authorization Code grant in ADFS

Ben Elliot edited this page Apr 24, 2019 · 4 revisions

The Authorization Code grant is supported by ADFS.

1. Client visits the authorization endpoint

Request

GET /adfs/oauth2/authorize?response_type=code&client_id=MyClient&resource=urn%3Apepsi%3Atest&redirect_uri=http%3A%2F%2Flocalhost%2F HTTP/1.1
Host: your.adfs.server

Parameters

parameter value example
response_type the OAuth 2 response type always code in this case
client_id the Id of the Client wanting an access token, as registered in the ClientId parameter when registering the Client in ADFS. MyClient
resource The resource server that the Client wants an access token to, as registered in the Identifier parameter of the Relying Party trust https://myapplication
redirect_uri The redirect uri that is associated with the Client. Must match the RedirectUri value associated with the Client in ADFS. https://localhost

See ADFS Administration for more information about registering clients.

Response:

Internet Explorer browsers are redirected to adfs/oauth2/authorize/wia, an endpoint presumably able to authenticate with the Windows Integrated Authentication protocol (NTLM). This allows for single sign on experience in Microsoft environments.

Other browsers are presented with a HTML login form.

2. User logs in

User logs in, but does not need to give any approval. After the user is authenticated, the Client browser is redirected to the redirect_uri.

Response:

HTTP 302 Found
Location: https://redirecturi/?code=thecode

The Client can now grab the authorization code from the code parameter.

3. Client request access token

Request:

POST /adfs/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: your.adfs.server
Content-Length: 624

grant_type=authorization_code&client_id=MyClient&redirect_uri=http%3A%2F%2Flocalhost%2F&code=thecode

Parameters:

parameter value example
grant_type the OAuth 2 grant type always authorization_code in this case
client_id the Client id of the requesting client, must match the client_id used to retrieve the authorization code MyClient
redirect_uri the redirect uri of the CLient, must match the redirect_uri from previous step
code the OAuth authorization code abc123

Note that the following parameters are not necessary in this step:

  • resource
  • client_secret (ADFS does not support client secrets).

Response:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{ 
    "access_token":"thetoken",
    "token_type":"bearer",
    "expires_in":3600
}

The access_token is in JWT format, and can be used for 3600 seconds. Because the Client did not authenticate itself with any client secret, no refresh token is issued.

You can’t perform that action at this time.