ADFS 2016 + ADAL + angular 6

[rajsolanki73]

Hi

Please pardon me if i have asked a question that has been answered or discussed..

i m using https://github.com/benbaran/adal-angular4 library for my Angular 6 app. I am using https://github.com/benbaran/adal-angular6-example as starring point for my code.

I m trying to extended above sample in my app for my on prem ADSFS 2016 and login works and i am able to get token.

config: { instance: 'https://myadfs2016.com/', tenant: 'adfs', clientId: 'my_client_id', resource : 'myresource/', redirectUri: window.location.origin , //extraQueryParameter : 'resource=myresource/', extraQueryParameter : 'use_windows_client_authentication=true', postLogoutRedirectUri : window.location.origin,

endpoints: { 'https://myadfs2016.com/': '00000000-0000-0000-0000-000000000000'

}

so when i click login in

** my app the URL constructed does'nt have ?resource=myresource

is that ok ?

** upon logout its not redirecting to my postLogoutRedirectUri configured. it stays on ADFS logout page saying logged out successfully.

when i un-comment extraQueryParameter line &resource=myresource shows up. But assuming if i have some claims like email address , first name , last name etc set should it show up in decoded jwt token ? or that's not allowed response type of id_token ? 

[rajsolanki73]

logout issue is fixed as per #677. So now only id_token having claims (additional values) remains.

[rajsolanki73]

update .

I followed some steps from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/custom-id-tokens-in-ad-fs and https://medium.com/the-new-control-plane/the-mystery-of-the-missing-adfs-jwt-claims-7658d9cdeaac

I m using https://github.com/benbaran/adal-angular6-example as test.

After using &response_mode=form_post my app get error 'Cannot post to /' . But in chrome dev studio when i see network tab and i can see my token which has all custom claims. So now question is how to convert POST to GET ? And ADFS only sends claims when reponse_mode is form_post :(

btw my ADFS is on prem

[raoulmahtani]

Did this get anywhere?

[timnyman]

I am interested in potential resolutions to this same issue. I've configured ADAL.js to redirect to ADFS, can get a token back via GET and use it. But I need to get the user's claims as well. I've tried the adjustment to include &response_mode=form_post, but my redirect URL cannot accept a POST call (GET is allowed). I'm looking for a way to use this library to add claims to the returned payload.

[raoulmahtani]

I ended up going with angular-oidc library and reconfiguring my application as a native app. That worked!

Sent from my iPhone

On Jun 12, 2019, at 5:14 PM, timnyman notifications@github.com wrote:

I am interested in potential resolutions to this same issue. I've configured ADAL.js to redirect to ADFS, can get a token back via GET and use it. But I need to get the user's claims as well. I've tried the adjustment to include &response_mode=form_post, but my redirect URL cannot accept a POST call (GET is allowed). I'm looking for a way to use this library to add claims to the returned payload.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[timnyman]

Is this the library you are describing? https://www.npmjs.com/package/angular-oauth2-oidc Does this provide a way to acquire a user's claims?
Is this possible if the application remains a web SPA?

[raoulmahtani]

Yeah that’s the one, it will pull the user claims as long as it’s configured as a native application in ADFS.

Sent from my iPhone

On Jun 13, 2019, at 4:00 PM, timnyman notifications@github.com wrote:

Is this the library you are describing? https://www.npmjs.com/package/angular-oauth2-oidc Does this provide a way to acquire a user's claims? Is this possible if the application remains a web SPA?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[timnyman]

Sorry - one more follow up question. Do the claims come down with the initial tryLogin() call, or do you need to take additional steps (i.e. make a 2nd call to a userInfo endpoint) to acquire the claims?

[raoulmahtani]

Hahaha no worries, they came with the trylogin call.

Sent from my iPhone

On Jun 13, 2019, at 4:29 PM, timnyman notifications@github.com wrote:

Sorry - one more follow up question. Do the claims come down with the initial tryLogin() call, or do you need to take additional steps (i.e. make a 2nd call to a userInfo endpoint) to acquire the claims?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[rab48882]

raoulmahtani, Thank you for helping Tim Nyman. I am picking up where he left off. The issue I am experiencing is "Error: validating tokens" AND "Wrong issuer: https://sso.department.gov/adfs" .

Interestingly, I do get back an access_token and an id_token, but with different issuers. access_token issuer is https://sso.department.gov/adfs and the id_token is https://sso.department.gov/adfs/services/trust

Is this an ADFS configuration issue?

[raoulmahtani]

I actually have the same issue, still haven’t figured it out.

Sent from my iPhone

On Jun 21, 2019, at 4:35 PM, rab48882 notifications@github.com wrote:

raoulmahtani, Thank you for helping Tim Nyman. I am picking up where he left off. The issue I am experiencing is "Error: validating tokens" AND "Wrong issuer: https://sso.department.gov/adfs" .

Interestingly, I do get back an access_token and an id_token, but with different issuers. access_token issuer is https://sso.department.gov/adfs and the id_token is https://sso.department.gov/adfs/services/trust

Is this an ADFS configuration issue?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[rab48882]

raoulmahtani,

Thanks for the reply. Also, I am getting AD groups back in my access token Do you know of a way with the libraries to decrypt the access token to get theses AD groups back?

Thanks.

[raoulmahtani]

Yeah you can use any precanned JWT decryption libraries. In node I use Jwt-decode.

Sent from my iPhone

On Jun 24, 2019, at 10:43 AM, rab48882 notifications@github.com wrote:

raoulmahtani,

Thanks for the reply. Also, I am getting AD groups back in my access token Do you know of a way with the libraries to decrypt the access token to get theses AD groups back?

Thanks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[rajsolanki73]

Sorry for late reply .

We are able to get claims back using ADAL library via 'authorization grant' . So by editing adal,js to accept response_type from query param (its hard coded to be token) . So out respone_type is code. Once we have code , we send one more request to ADFS using that code and resource param (we need to create a relying trust and the definition name of it becomes value for resource) , in return you will get id_token , access_token back.

Hope this helps.

Rajesh

On Mon, Jun 24, 2019 at 10:06 AM raoulmahtani notifications@github.com wrote:

Yeah you can use any precanned JWT decryption libraries. In node I use Jwt-decode.

Sent from my iPhone

On Jun 24, 2019, at 10:43 AM, rab48882 notifications@github.com wrote:

raoulmahtani,

Thanks for the reply. Also, I am getting AD groups back in my access token Do you know of a way with the libraries to decrypt the access token to get theses AD groups back?

Thanks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/800?email_source=notifications&email_token=AGOYPAKRKOADKZJQRB5AA43P4DPGNA5CNFSM4FTFZUEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYNHPAQ#issuecomment-505051010, or mute the thread https://github.com/notifications/unsubscribe-auth/AGOYPAPDVVYSJEMQWACUESTP4DPGNANCNFSM4FTFZUEA .

-- Rajesh Solanki

[LastTribunal]

This is a very severe oversight on microsoft's part. If Azure AD, by default returns extended claims from GET using only ID_TOKEN, then ADFS should do the same. (as it does the ADFS ACCESS_TOKEN) Why cripple ADFS based on weak security/stability concern and then render ADAL JS useless for ADFS scenarios? Esp since ADALJS is the only library available for properly integrating SPAs with AAD and ADFS???

[jasonnutter]

@LastTribunal Please refrain from using offensive language, thanks.

[DarylThayil]

@negoe for context

[LastTribunal]

What's worse is that my 2016 ADFS server was actually returning custom claims in ID_TOKEN using GET, until recently. But it no longer does so, Seems like this was not a feature but a "vulnerability" in MS's eyes, and hence was "fixed" via a windows update. So to put it in "context", I have exerted a lot of time sweat and tears into making my Azure provision work seamlessly on-prem. And now MS changed the product behavior and my solution no longer works. I am not willing to play around with ADAL JS to see how I can retrofit it into my deeply developed SPA, Instead my only option is to create a handler on my back-end, that will query the Domain controller on API calls, to get all the required attributes that are otherwise readily available in Azure AD JWT ID_TOKEN.

[jmckennon]

Since it looks like @rajsolanki73 has found a workaround, I'll be closing this issue.

Additionally, all current authentication work from Microsoft is delivered through the msal js library here. adal js is still supported only for security fixes. We recommend moving to msal js for any advanced feature requests and bugfixes.