Reputation: 5876
Access token and user ID
I'm currently trying to authenticate an angular 7 app with ADFS 2016 (using angular-oauth2-oidc). So far, it works pretty well. When I access the application, I'm redirected to ADFS login page where I enter my credentials and gets tokens.
Now, when the app calls the a web API, it send the access token in the request headers. The access token returned by ADFS looks like this:
{
"aud": "microsoft:identityserver:xxx",
"iss": "http://xxx/adfs/services/trust",
"iat": 1554561406,
"nbf": 1554561406,
"exp": 1554565006,
"apptype": "Public",
"appid": "xxx",
"authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"auth_time": "2019-04-06T12:21:39.222Z",
"ver": "1.0",
"scp": "profile openid"
}
The issue is that the web API must know the ID of the user making the call (as there are some permissions defined at application level). I saw here that I can add claims to the access token, which I did. However, when reading articles on Internet, I read that apparently the access token is not supposed to be used to identify the user, so I don't know if it's correct to add a claim used by the web API to identify the user.
However, I read here that
The only user information the Access Token possesses is the user ID, located in the sub claim.
But by default, ADFS does not provide a "sub" token. Is it correct if I add a "sub" claim by myself that contains the email address of the user or do I have to proceed in a different way?
Upvotes: 2
Views: 4790
Answers (1)
Reputation: 8421
Yes, access token is not supposed to be used to identify the user. But if you can get a user identifier into the access token and it's all you need to know about a user, then it's probably the easiest way. But it's implementation-specific for your auth server.
The standard way is to ask for the profile scope (which you did) and get information from the userinfo endpoint (see OpenID Connect RFC). If you use this way, you may want to cache the response, so you don't need to make this HTTP call on every client request.
If your backend API is used just by the Angular application and is not supposed to be called by third parties, you could also consider using the backend as the OAuth2 client which receives an authorization code and exchanges it for an ID token. Then, it can save the user's identity (read from the ID token) in a session and issue a cookie identifying the session. So there would be no need for the frontend to send a token on each request. This would make the backend stateful, but it might be easier to implement.
Upvotes: 2
Related Questions
- How to authenticate synced users using openid on ADFS?
- oAuth sample for ADFS Windows 2012 R2
- Setup OAuth2 JWT Token for ADFS and .Net Core
- ADFS 4.0 (2016) OpenID Connect userinfo endpoint returns 401 when provided with access token
- OpenID Connect over ADFS
- .net Core Api authentication with ADFS 2012
- Using OpenID Connect with WSO2 API Manager and ADFS
- Not getting user identity in JWT used in OAuth2 access token from ADFS 3.0
- JWT + OAuth2 + ADFS 3.0 + Mobile + API
- ADFS 2012 R2 oAuth 2.0 SSO sample .NET