1. 技术文章
  2. Authenticate Web UI using OAuth2 Access Token from ADFS

Authenticate Web UI using OAuth2 Access Token from ADFS

霸气de小男生 提交于 2019-12-25 08:23:11

问题


In an Ionic mobile app, we need to access the web API and to show a Web UI (both SharePoint) in an Ionic WebView (essentially a browser inside the app). We're using OnPrem ADFS on Windows Server 2012 and OnPrem SharePoint 2013. Here's what we do:

1. In ADFS3, Setup OAuth2 and add a Relying Party Trust and a Client

http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/

2. From the mobile app, call ADFS to obtain an OAuth Access Token

First, GETing:

https://myadfsdomain/adfs/oauth/authorize
    ?response_type=code
    &client_id=MYCLIENTID
    &redirect_uri=https://myserver/callback
    &resource=MYRelyingPartyId

then POSTing the responseCode Eg:

$http({method: "post", 
   headers: {'Content-Type': 'application/x-www-form-urlencoded'}, 
   url: "https://myadfsdomain/adfs/oauth2/token", 
   data: "client_id=MYCLIENTID&code=" + responseCode + "&redirect_uri=https://myserver/callback&grant_type=authorization_code"  })

See also http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

We now have an OAuth2 Access Token.

3. Use that token to call the SharePoint API

GET /the-api-method
 Host: example.com
 Authorization: Bearer <access_token>

Question

Question is, how can that access token be used to access the Web UI? Can it be exchanged for a SharePoint Web UI cookie (FedAuth?) so that a WebView placed in the app can show a SharePoint web page to the authenticated user without the user having to login again?

According to this post, it sounds like OAuth2 for ADFS3 (Windows Server 2012) only works when calling a web API, NOT when calling a web UI. Is that correct?

As ADFS on Windows Server 2016 now supports more OAuth2 grant types, is it now possible to use ADFS OAuth in server 2016 for a web UI? If so, how does the access token get exchanged for a cookie or does it?


回答1:


Yes - ADFS 3.0 only handles authorisation code grant for confidential clients i.e. web API.

In ADFS 4.0, you have support for OpenID Connect. This opens up the web site scenario. This gives you a token that you can then use to access a web API.

Have a look at Calling a web API in a web app using Azure AD and OpenID Connect. This uses Azure AD but the principle is the same.



来源:https://stackoverflow.com/questions/42149152/authenticate-web-ui-using-oauth2-access-token-from-adfs

标签
cookies
sharepoint
ionic-framework
oauth
adfs
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!