How to force AD FS 3.0 (Windows 2012 R2) to send nbf (not before) in jwt

Question

I am trying to receive JWT token from oauth2 endpoint of ADFS in my single page application. I succesfully received code from oauth2 endpoint. After ajax POST request i received access_token and refresh_token. But when i look to access_token i have there only these claims:

{
  "aud": "https://localhost/",
  "iss": "http://fs.development.org/adfs/services/trust",
  "iat": 1438015081,
  "exp": 1438018681,
  "email": "Test.User@development.org",
  "role": "Domain Users",
  "unique_name": "Test.User",
  "primarysid": "S-x-x-xx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx",
  "upn": "test.user@development.org",
  "auth_time": "2015-07-27T16:40:01.636Z",
  "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "ver": "1.0",
  "appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

As you can see i didn't receive nbf claim from AD FS. I cannot find it in configuration of my relying party trust. I tried to set property NotBeforeSkew to two minutes and TokenLifetime to 60 minutes on my relying party in hope that AD FS start sending nbf claim. But i was wrong, nothing helps in any way.

So my question is this. It is possible to force from my application or from ad fs server to send nbf claim?

Maybe it is just matter of configuration but i wasn't able to deduce from documentation how this claim can be configured.

Answer 1

The only way I have found to fix this is add a custom claim rule to ADFS. This feels like a bit of a hack, but I simply set 'nbf' to zero and then any consumer will at least not complain about a lack of this property. Although 'nbf' is in fact optional Sharepoint 2013 seems to deem it mandatory when using OAuth which was the original reason in my case that I needed to supply some value. Here is my custom claim rule for anyone struggling with this:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "nbf", Value = "0");