It looked like most of the world has made the switch to Microsoft Entra(Azure Active Directory). However one of my clients is still using ADFS. Unfortunately there isn't much information left on how to get an OAuth flow up and running in ADFS. Most of the links I found point to documentation that no longer exists. So therefore this short blog series to show you end-to-end how to get an OAuth Client Credentials flow configured in ADFS.
Part 2 (this post) – Application configuration
After doing all the configuration work in ADFS, I’ll focus today on the necessary work that needs to be done on the application side.
Configuring the API
We’ll start by configuring the API part.
- First create a new ASP.NET Core API project
dotnet new webapi --use-controllers -o ExampleApi
- Add the ‘Microsoft.AspNetCore.Authentication.JwtBearer’ package to your project:
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
- Add the authentication configuration:
- As you can see, in the code above we need to configure the following values:
- MetadataAddress: the discovery endpoint where the metadata is published, this typically is an URL that ends with .well-known/openid-configuration
- Authority: the OAuth server url, in our case this is our ADFS instance
- Audience: the configured identifier for our API (see the previous post)
- ValidIssuer: the issuer that will be checked against the token issuer
- Almost there! As a last step, we need to add the middleware:
OK, now that we are done with the API side, let’s focus on the client.
Configuring the client
On the client side I would typically recommend to use a library like MSAL.NET. It can help you a lot in simplifying the configuration process.
But as we are using a very simple flow, we’ll only use the built-in HttpClient.
- Create a new Console application
dotnet new console –o ExampleClient
- We first need to make a request to the token endpoint in ADFS:
- Again, there is a lot of configuration that needs to be done. Here are the things we need to configure:
- Client Id: The identifier for our client
- Client Secret: A corresponding secret for our client
- Token Endpoint URL: the token endpoint URL of our ADFS instance, this is typically /adfs/oauth2/token" href="https:///adfs/oauth2/token">/adfs/oauth2/token" href="https:///adfs/oauth2/token">/adfs/oauth2/token" href="https:///adfs/oauth2/token">/adfs/oauth2/token">https://<servername>/adfs/oauth2/token
- Grant Type: This specifies the OAuth flow, in this case the ‘client_credentials’ flow
- Scope: The scope we want to request, in our example we had configured the readdata scope
- Remark: Notice that we prefixed the scope with the audience. Don’t forget to do that!
- If the requests succeeds, we can extract the access token from the response:
- This access token can now be used to call the API:
If everything goes well, you should see the following output in your API:
More information
NuGet Gallery | Microsoft.AspNetCore.Authentication.JwtBearer 8.0.10