OpenID Connect (OAuth 2.0) with ADFS

Last Friday, one of my Colleagues was calling me: Is it possible to authenticate our OpenStack Management Tools against our Active Directory with Oauth 2.0? Single-sing on as additional Feature would be nice.

So we have a complete published ADFS HA Setup in our Environment and using this for a few other Logins, but all with SAML 2.0.

So the good news are that with ADFS 4.0 which are integrated in Windows Server 2016, Microsoft has implemented the complete support for OAuth 2.0.

The configuration is easy, as I describe in the following.

URLs

For OAuth 2.0, we need a few URLs that we must configure on our Client (Service Provider). These are always the same and as following:

Metadata URL: https://adfs.yourname.com/adfs/.well-known/openid-configuration

Auth URL: https://adfs.yourname.com/adfs/oauth2/authorize

Token URL: https://adfs.yourname.com/adfs/oauth2/token

For the Configuration on the ADFS Servers, we need another URL. The “Redirect URL”.
The ADFS Server will redirect the User after the authentication to this Address. The Address must be provided by your OAuth 2.0 Client. In my purpose, the Redirect URL is:

https://dev1.my.openstack.server.de:5000/v3/OS-FEDERATION//identity_providers/demoidp/protocols/openid/auth

Client ID and Secret

The Client ID and the Client Secret is generated by the ADFS Assistant further down on this Page. Both Values must also be configured in the OAuth 2.0 Client.

ADFS Configuration

So let’s configure the Client in our ADFS. To do this, start the AD FS Management GUI and browse to the Point “Application Groups”.

ADFS Application Groups

Now create a new Application Group, give it a New and choose “Server Application” as type.

ADFS New Application Group

In the next Windows, type in your Redirect URL from your Client, and a proper description if you want.
Also on this Screen, you will find the Client ID Value here. In my Case “7a55389e-bfe0-41af-9470-9d64fbfc1ba7”. Please note down the Client ID, you will need this Value in the Client Configuration as I told you before.

ADFS New Application Group – Client ID and Redirect URLs

Further on the next Page, tick “Generate a shared Secret”. Please note down this Value also, you need it for your OAuth 2.0 Client.

ADFS New Application Group – Shared Secret

Now you will see a short overview about the configured Parameters. Check them and close the Assistent.

Back in the “Application Groups” Window, open the properties of our newly Created “My OAuth 2.0 Client” Application Group, and choose “Add Application”

ADFS Application Group – Properties

After Clicking on “Add Application” choose the “Web API” Template

ADFS Application Group – New Application

Now enter the Redirect URL as Identifier, and If you want, a Description.

ADFS Application Group – New Application Identifier

On the next Page, configure the Access Control Policy as you may know from previous ADFS configurations.

ADFS Application Group – New Application Access Control Policy

On the last Page make sure that the openid is selected.

ADFS Application Group – New Application Configure Application Permissions

Now you will see a short overview about the configured Parameters. Check them and close the Assistent.

OAuth 2.0 Client Configuration

The ADFS Configuration is completed. You can now configure the OAuth 2.0 Client with the Parameters you’ve collected in the steps above.

I will not further explain how to configure the OAuth 2.0 Client here, because the Configuration depends on the Client which you will use.

Leave a Reply

Your email address will not be published. Required fields are marked *