Can the Azure AD OAuth 2 token endpoint take a kerberos token as auth code?

Question

When doing the OAuth 2.0 flow with Azure AD the documented process is to redirect the Oauth auth endpoint to get an authtoken, get redirect back when the user logs in, and then call the Token End point to get your access token passing the Auth code the first step was given.

The apps that I am doing this for will kerberos token already, is it possible to get the access token without doing the redirect with Azure AD? For examples, can the OAuth endpoint take a kerberos ticket?

Based on all that I have read, that is a no. I just wanted to verify as it would be nice to not have to do the redirect for a better user experience.

Answer 1

No, there is no standardized grant type that specifies how to exchange a Kerberos token for an access token at the token endpoint. The specification leaves room for defining that as a future extension though.

For now your only standardized options are to:

• use the Resource Owner Password Credentials flow to avoid the redirect but lose SSO
• use the Authorization Code flow to be able to leverage Kerberos to authenticate in an SSO-fashion, but to require a redirect.

Answer 2

Tony,

I assume you are speaking to the AuthorizationCodeFlow http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth . The short answer is NO. AAD issues the 'code' and keeps track of request artifacts so it can issue id_tokens and access_tokens related to the user.