Reputation: 1656
AD FS access token to web API without user intervention
Looking for a way to get an app access token that can make calls to an API without making the user sign in. I have accomplished this use case using Azure AD where I get an app access token to write documents to a SharePoint library. I am not familiar enough with on prem AD FS and how to access getting an access token using a client secret so I don't have to interfere with the user.
Background
We have built a custom help desk application on a set of APIs. Our goal is to be able to create tickets from other systems (applications) that require a ticket to be created. The idea is to generate an access token that has permission to the API so I can create the ticket without the user being prompted to login since the ticket will not be specific to the user in some cases.
Example Use Case
We have an application that provisions non-employees to access resources in our environment. These non-employees have end dates associated to them, when the end date is passed and they were not renewed beforehand, a ticket will need to be generated for a team to update their record in AD.
What I have done
I have created a 'server application' in AD FS and generated a client secret. I am able to make a request and get an access token using the client secret, however, it is not 'linked' per say to the Wep API I need to call.
How would I give permission to the server application to access the web API?
Additional We are using AD FS on Server 2016.
Upvotes: 0
Views: 1177
Answers (2)
Reputation: 1656
Found the issue causing the token I was receiving via the server application to give me an 'Authorization denied' response from the API.
It turns out that the AD FS configuration was correct, the issue was in my API with the valid audience and valid issuer.
app.UseActiveDirectoryFederationServicesBearerAuthentication(new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ADFS:MetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudiences = GetValidAudiences(),
ValidIssuers = GetValidIssuers()
}
});
I needed to include the issuer and the audience that the server app was providing in the Access Token
ValidIssuer Example
microsoft:identityserver:{appIdentifier}
ValidAudience Example
http://{fqdn}/adfs/services/trust
upon adding those to the validIssuer and validAudience the access token worked perfectly.
Upvotes: 0
Reputation: 46720
You need the confidential client flow.
Essentially, you configure an application and a web API.
By default, the application has permission to call that web API but you can play around with the access control policies.
Also note that you can configure claims rules on the web API.
This may also be useful.
Upvotes: 1
Related Questions
- ASP.NET acquire JWT token from ADFS by code or CLI
- Pass SAML token into web api call
- Asp.NET Core use scopes from ADFS to authorize access to web api
- Token based authentication using ADFS
- AD FS client authentication from a web-api app. How to?
- Authentication to ASP.NET Web Api using ADFS
- Claims based authentication, with active directory, without ADFS
- Azure Active Directory Verify Access Token in Web Api outside of Azure
- Pass ADFS Token to a Service
- Authentication with ADFS 2.0