gopas-goc-166-01-ADFS A WAP PDF
gopas-goc-166-01-ADFS A WAP PDF
gopas-goc-166-01-ADFS A WAP PDF
2019
1
27. 5. 2019
ADFS motivation
Single authenticating server
• trusted account store
• trusted connection
• credentials never “typed” into insecure web services
Web services easy handling of tokens
• no worry about security
• just a signed piece of XML/JSON
2
27. 5. 2019
3
27. 5. 2019
included
ADFS 1.0 Windows 2003 R2 SAML 1.1
runs in IIS
included
ADFS 2.1 Windows 2012 device registration
runs in IIS
included
direct hosting on HTTP.SYS multifactor auth
ADFS 3.0 Windows 2012 R2 TLS SNI support password change
PowerShell only config (plus HTML/Javascript) /adfs/probe
OAuth implicit grant
admin delegation
own certification authority for device registration
http to https redirection with WAP Azure MFA
ADFS 4.0 Windows 2016
http publishing with WAP Microsoft Passport
OAuth full
OAuth and HTTP basic authentication with WAP
ADFS certificates
TLS HTTPS certificate
• TCP 443, 49433
• signs ECDH or encrypts RSA key exchanges
• should be trusted by all clients
Service communication certificate
• by default the same as TLS certificate
• encrypts SOAP message
• must be trusted by all clients
Token signing certificate
• signs SAML/OAuth tokens
• must be trusted by all servers as per thumbprint
Token decryption certificate
• decrypts SAML/OAuth tokens received from claim providers
• must be trusted by all servers as per thumbprint
4
27. 5. 2019
ADFS installation #1
Buy a public name from public CA
SHA256, RSA 2048, EKU = Server Authentication
TLS certificate key usage = Key Encipherment (TLS 1.0) and/or Digital Signature (requires TLS 1.1+)
Service communication certificate key usage = Key Encipherment
5
27. 5. 2019
ADFS installation #2
Browser
Browser ADFS1
client
client
https://adfs.gopas.cz
Load
Balancer
SQL
GUI
GUI ADFS2
client
client
6
27. 5. 2019
same
cert
TCP
443
Browser
Browser ADFS1
client
client
https://adfs.gopas.cz
Load
Balancer SQL
GUI
GUI ADFS2
client
client
same
cert
Note: if you have 2012 R2 or do not have the certauth DNS SAN name in the web server
TLS certificate you have to balance TCP 49443 as well
primary
Browser
Browser ADFS1 member
client
client
https://adfs.gopas.cz
WID
Load
Balancer
replication
GUI
GUI ADFS2
client
client ADFSn
WID
WID
7
27. 5. 2019
ADFS installation #3
ADFS installation #4
Certificate template must NOT be Key Storage Provider
• certutil -repairstore my *
the best Key Usage is Digital Signature and Key Encipherment
8
27. 5. 2019
ADFS installation #5
AD DFL must be Windows 2012+
AD Key Distribution Service (KDS) must be provisioned
• Add-KdsRootKey -EffectiveTime ([DateTime]::Now.AddDays(-1))
9
27. 5. 2019
ADFS installation #6
WID supports up to 5 ADFS servers and 60 000 users with more than 100 relying
parties
WID supports up to 30 ADFS servers with less than 100 relying parties
Requires sysadmin in full SQL
• dbcreator and securityAdmin are not sufficient
ADFS installation #7
servicePrincipalName = host/adfs.gopas.cz
• SOAP clients ask for host/SPN instead of http/SPN
msDS-SupportedEncryptionTypes = RC4, AES
10
27. 5. 2019
ADFS installation #8
ADFS installation #9
URI: http://sevecek.com/2016-01/adfs/intranet
URN: urn:oid:1.3.6.1.4.1.25005.7.3
URN: urn:fdc:sevecek.com:201601:adfs-intranet
11
27. 5. 2019
12
27. 5. 2019
13
27. 5. 2019
14
27. 5. 2019
15
27. 5. 2019
Set-AdfsAlternateTlsClientBinding -Thumbprint
• use if certificate changed later (updates HTTP.SYS UrlAcl as well)
• after the change you can update it with Set-WebApplicationProxySslCertificate on WAP
16
27. 5. 2019
17
27. 5. 2019
18
27. 5. 2019
19
27. 5. 2019
20
27. 5. 2019
21
27. 5. 2019
22
27. 5. 2019
Passive client
DC
Browser
GPS WIA (Kerberos) Client
gopas.virtual
Basic
Forms
"Cookie" or "token"
https://adfs.gopas.cz
LDAP
DC
Browser
GPS Client
gopas.virtual
WIA (Kerberos)
GUI
Basic
Client
Forms
TLS Certificate
ADFS
https://adfs.gopas.cz
23
27. 5. 2019
https://adfs.gopas.cz/federationmetadata/2007-06/federationmetadata.xml
• requires SNI
• WS-Fed / SAML 2.0 metadata
• anonymously available
• digitally signed with XMLDSIG (similar to PKCS#7)
https://adfs.gopas.cz/adfs/services/trust/mex
• requires SNI
• WS-Trust metadata
• anonymously available
https://adfs.gopas.cz/adfs/fs/federationserverservice.asmx
• requires SNI, anonymous
• ADFS1.0 web service metadata
https://adfs.gopas.cz/adfs/ls
• requires SNI, anonymous, returns error HTML with illustration.png
https://adfs.gopas.cz/adfs/ls/idpinitiatedsignon
24
27. 5. 2019
[Reflection.Assembly]::LoadWithPartialName('System.Web')
[Web.HttpUtility]::UrlDecode( ' ') # from GET/POST params
[Web.HttpUtility]::UrlEncode( ' ')
[Web.HttpUtility]::ParseQueryString((New-Object Uri
'https://.../?a=1&b=2&c=3').Query)
# decoding SAMLP
[Text.Encoding]::ASCII.GetString(([Convert]::FromBase64Strin
g(([Web.HttpUtility]::UrlDecode( ' ')))))
25
27. 5. 2019
Web
Web App
Web ADFS
App
Web
App
App
1
GET
https://finance
Passive
Client
26
27. 5. 2019
Web
Web App
Web ADFS
App
Web
App
App
1
GET
https://finance
2
302
https://adfs.gopas.cz
Passive
Client
Web
Web App
Web ADFS
App
Web
App
App
3
GET authenticate
https://adfs.gopas.cz
Passive
Client
27
27. 5. 2019
Web
Web App
Web ADFS
App
Web
App
App
XML
claims token
Web
Web App
Web ADFS
App
Web
App
App
5
POST
https://finance
XML
claims token
XML
claims token
28
27. 5. 2019
Web
Web App
Web ADFS
App
Web
App
App
5
POST
https://finance
XML
claims token
XML
6 claims token
OK
https://finance POST Submit JavaScript
https://finance
COOKIE: FedAuth: finance 4
COOKIE: MSISAuth: adfs.gopas.cz
https://adfs.gopas.cz/adfs/ls?wa=wsignin1.0&wtrealm=https://portal.gopas.cz
https://adfs.gopas.cz/adfs/ls/wia?wa=wsignin1.0&wtrealm=urn:fdc:sevecek.com:finance
• WS-Federation passive sign-in URL, you receive SAML1.1 token
• target 302 redirect configured as: WS-Federation Passive Endpoints on the Endpoints tab as
Default
• wtrealm = one of the relying party Identifiers
https://adfs.gopas.cz/adfs/ls?wa=wsignin1.0&wtrealm=urn:fdc:sevecek.com:finance&wr
eply=https://portalinternal.gopas.cz
• wreply = non-default target 302 redirect configured as: WS-Federation Passive Endpoints on
the Endpoints tab
29
27. 5. 2019
URI elements
wtrealm
• processed by the ADFS to determine relying party identifier for which the request came
wreply
• processed by the ADFS as the desired back redirection
• must match one of the Trusted URLs on the Endpoints tab
wctx, wct
• values ignored by ADFS and just passed from requests to replies
• storing client application context values
wauth
• &wauth=urn:oasis:names:tc:SAML:1.0:am:password (FBA)
• &wauth=urn:federation:authentication:windows (WIA)
• &wauth=urn:ietf:rfc:2246 (TLS client certificate)
• &wauth=http://schemas.microsoft.com/claims/multipleauthn (request multifactor auth)
whr
• home realm claims provider explicitly named in URL
• AD AUTHORITY, urn:fdc:books, ...
30
27. 5. 2019
// MachineKey.Unprotect(protected, "salt")
31
27. 5. 2019
Web
priv
Web App
Web ADFS
App
Web
App
App
5
POST
https://finance
XML signed
claims token
XML
claims token
POST Submit JavaScript
https://finance
4
32
27. 5. 2019
Web
priv
Web App encryption cert
Web ADFS
App
Web
App pub
App
5
POST
https://finance
encrypted
XML signed
claims token
XML
claims token
POST Submit JavaScript
https://finance
4
Standards
Name What How Notes
WIF (Windows
transport
WS-Federation passive clients Identity
302/POST redirects
Foundation)
used by WS-Federation
SAML 1.0 XML token format ADFS 1.0
urn:oasis:names:tc:saml:1.0:assertion
used by WS-Federation
SAML 1.1 XML token format ADFS 1.1
urn:oasis:names:tc:saml:1.0:assertion
used by SAMLP
SAML 2.0 XML token format ADFS 2.0
urn:oasis:names:tc:saml:2.0:assertion
33
27. 5. 2019
https://adfs.gopas.cz/adfs/oauth2/authorize?response_typ
e=code&client_id=11111111-2222-3333-4444-
123456789012&redirect_uri=https://portal.gopas.cz&reso
urce=https://portal.gopas.cz
• OAuth sign-in URL, returns OAuth token, only for active clients
• configured as: no endpoint plus use Get-AdfsClient and Add-
AdfsClient
• https://portal.gopas.cz/?wa=wsignoutcleanup1.0&wreply=https://a
dfs.gopas.cz/adfs/ls/?wa=wsignout1.0
both in a single URL
34
27. 5. 2019
35
27. 5. 2019
Import-Module MSOnline
Get-Credential
Connect-MSOLService
Get-MSOLFederationProperty
Update-MSOLFederatedDomain
36
27. 5. 2019
SharePoint cookies
Sliding cookie expiration 50 minutes before RP token
expires
$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -Min 50)
$sts.Update();
iisreset
37
27. 5. 2019
SP built-in sign-out
• https://sp.gopas.cz/_layouts/15/SignOut.aspx
38
27. 5. 2019
MSIE MSAuthHost/1.0/In-Domain
MSAuthHost/1.0/In-Domain MSIE 6.0
Trident/7.0 MSIE 7.0
MSIPC MSIE 8.0
Windows Rights Management Client MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge
39
27. 5. 2019
Azure MFA
Requires
• Azure AD Premium
• or Intune (Mobile Device Management - MDM)
Users register at:
• https://aka.ms/MFAsetup
App
• Azure Authenticator
40
27. 5. 2019
c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork",
Value == "true"]
=> issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
41
27. 5. 2019
# => issue(Type =
"http://schemas.microsoft.com/claims/authnmethodsreferences", Value =
"http://schemas.microsoft.com/claims/multipleauthn");
ADFS
web
web service
webservice
service
untrusted
sandboxed
app
user device
42
27. 5. 2019
ADFS
web
web service
web
service
service
sign-in URL
authenticate
securelly
untrusted
trusted
sandboxed
browser
app sign-in URL
user device
ADFS
web https://finance
web service
web
service
service
token with
limited lifetime sign-in URL
authenticate
POST Redirect ms-app://localAppID
securelly
302 Redirect ms-app://localAppID
query
parameters
untrusted
trusted
sandboxed
browser
app sign-in URL
user device
43
27. 5. 2019
Claim rules
Claim members
Type
• http://schemas.xmlsoap.org/claims/UPN
• urn:fdc:gopas.cz:201701:adfs/someClaim
Issuer
• AD AUTHORITY (primarySid, groupSid, ...)
• LOCAL AUTHORITY (authenticationinstant, client cert thumbprint, subject, san, ...)
• SELF AUTHORITY
• urn:fdc:gopas.cz:201606:adfs-intranet
OriginalIssuer
Value
ValueType
• http://www.w3.org/2001/XMLSchema#string
• http://www.w3.org/2001/XMLSchema#base64Binary
• http://www.w3.org/2001/XMLSchema#date
• http://www.w3.org/2001/XMLSchema#dateTime
more claims of the same type can usually be generated and kept
• things such as UPN, Name, windowsaccountname can have more items
• except for NameID claim
• exactly duplicate claims are removed
44
27. 5. 2019
45
27. 5. 2019
exists([ ... ])
exists([
Type == "http://schemas.microsoft.com/2012/...", Value == "..."
])
# passive endpoint
exists([Type ==
"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-
endpoint-absolute-path", Value == "/adfs/ls/"])
46
27. 5. 2019
47
27. 5. 2019
c:[Type ==
"http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/fo
rmat"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
issue(
store = "_PasswordExpiryStore",
types = (
"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime",
"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays",
"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"
),
query = "{0};",
param = c1.Value
);
48
27. 5. 2019
49
27. 5. 2019
50
27. 5. 2019
51
27. 5. 2019
Set-AdfsGlobalWebContent
Set-AdfsWebTheme
• CompanyName, Logo, Illustration, StyleSheet
• ErrorPageDescriptionText, ErrorPageAuthorizationErrorMessage
• ErrorPageSupportEmail
Custom themes
• New-AdfsWebTheme -Name myOwn -SourceName default
• Set-AdfsWebConfig -ActiveTheme
52
27. 5. 2019
fullSAM:[
Type ==
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
]
=> add(
store = "infosys" ,
types = ("urn:fdc:gopas.cz:201805:claims/email") ,
query = "SELECT mail FROM People WHERE adlogin = {0}" ,
param = fullSAM.value
)
53
27. 5. 2019
Motivation
54
27. 5. 2019
TLS Certificate
https://finance.gopas.virtual
https://finance.gopas.cz
https://finance TLS Certificate
Web Reverse
Web
Server
Web HTTPS
Server
Server Proxy Browser
Client
TLS Certificate
TLS Certificate
GUI
https://adfs.gopas.cz Client
Reverse
HTTPS
DC ADFS Proxy
DC
TLS Certificate
GPS
gopas.virtual
TLS Certificate
https://finance.gopas.virtual
WAP
GUI
https://adfs.gopas.cz
Client
TLS Certificate
DC ADFS
DC
GPS
gopas.virtual
55
27. 5. 2019
http://portal
Web
Web
Server
Web Browser
Server https://portal.gopas.cz
Server Client
basic
Reverse
HTTPS
Proxy basic
GUI
TLS Certificate
basic Client
ADFS
DC
DC
GPS
gopas.virtual
http://portal
Web
Web
Server
Web Browser
Server https://portal.gopas.cz
Server Client
Kerberos
Reverse
HTTPS
Proxy full ADFS
GUI
TLS Certificate
Client
ADFS
DC
DC
GPS
gopas.virtual
56
27. 5. 2019
http://intranet
Web
Web
Server
Web
Server https://intranet.gopas.cz Browser
Server Client
Reverse
HTTPS
Proxy
TLS Certificate GUI
Client
DC
DC
GPS
gopas.virtual
TLS Certificate
DC
DC
GPS
gopas.virtual
57
27. 5. 2019
SharePoint
not everything requires authentication
HTTP level protocol exploits
• many many many IIS modules to pass
58
27. 5. 2019
Browser
Client
WAP
ADFS
TLS Certificate
DC
DC https://adfs.gopas.cz
59
27. 5. 2019
Browser
Client
WAP
ADFS
TLS Certificate
DC
DC https://adfs.gopas.cz
60
27. 5. 2019
WAP installation #2
Add-WindowsFeature Web-Application-Proxy, RSAT-
RemoteAccess
WAP installation #3
Admin$ on the primary ADFS server
• after installation HTTPS:443 only (TLS client cert.auth.)
61
27. 5. 2019
WAP installation #4
WAP installation #5
62
27. 5. 2019
63
27. 5. 2019
Browser
Client
WAP WAP
Client
Cert
https://adfs.gopas.cz
TLS Certificate GUI
TLS Certificate
Client
https://adfs.gopas.cz
ADFS
DC
DC
64
27. 5. 2019
Get-WebApplicationProxyConfiguration
• ADFSTokenSigningCertificatePublicKey, ConfigurationChangesPollingIntervalSet = 30
• https://adfs.gopas.cz/adfs/fs/FederationServerService.asmx
HTTP 503 service unavailable
65
27. 5. 2019
66
27. 5. 2019
67
27. 5. 2019
68
27. 5. 2019
ADFS itself generates correct absolute URL into the POST FORM
ACTION as long as the wreply parameter is "valid"
69
27. 5. 2019
70
27. 5. 2019
Set-AdfsProperties -EnableLoopDetection
• cookie MSISLoopbackDetection
71
27. 5. 2019
72
27. 5. 2019
Set-WebApplicationProxyApplication -EnableSignout
• EdgeAccessCookie gets deleted with the
?wa=wsignoutcleanup1.0 action (with the final signout after
all applications)
73
27. 5. 2019
Publishing SharePoint
Web
http://intranet
Web
Server
Web
Server https://sp.gopas.cz Browser
Server Client
Reverse
host header https://sp.gopas.cz HTTPS
Proxy
TLS Certificate GUI
Client
DC
DC
GPS
gopas.virtual
74
27. 5. 2019
Web
http://intranet
Web
Server
Web
Server https://sp.gopas.cz Browser
Server Client
Reverse
http://sp.gopas.cz HTTPS
https://sp.gopas.cz Proxy
TLS Certificate GUI
Client
DC
DC
GPS
gopas.virtual
75
27. 5. 2019
Local System
on/off GPS\WFE$
(SYSTEM)
Local Service
on/off no Kerberos
(NT AUTHORITY\Local Service)
Network Service
on/off GPS\WFE$
(NT AUTHORITY\Network Service)
ApplicationPoolIdentity
on/off GPS\WFE$
(IIS APPPOOL\apppool)
GPS\svc-iis-canteen on GPS\WFE$
76
27. 5. 2019
External authentication
Basic
Browser
Windows NTLM Client
Reverse
HTTPS Windows Kerberos
Proxy
Forms/cookie
TLS Certificate GUI
TLS client certificate Client
DC
DC
77
27. 5. 2019
plain-text
sign-out
no SSO easy
Forms/cookie timeout
session vs. persistent claims SAML token
browser clients
cookie
safe against password
Kerberos constrained only for "partners"
guessing
TLS client certificate delegation can use smart-cards
safe against HTTP
claims SAML token both clients
exploits
http://portal.gopas.virtual
TLS Certificate
Web
http://portal
Web
Server
Web
Server https://portal.gopas.cz Browser
Server Client
DC
DC
78
27. 5. 2019
TLS Certificate
Web
https://portal
Web
Server
Web
Server https://portal.gopas.cz Browser
Server Client
ADFS
TLS Certificate
DC
DC
http://portalWeb
Web
Server
Web
Server https://portal.gopas.cz Browser
Server Client
Kerberos Delegation
WAP
ADFS
TLS Certificate
DC
DC
79
27. 5. 2019
80
27. 5. 2019
81
27. 5. 2019
Our Partner
Web
ADFS ADFS
https://finance
https://finance
Our Partner
client client
Our Partner
Web
ADFS ADFS
https://adfs.gopas.cz
https://adfs.gopas.cz
Our Partner
client client
82
27. 5. 2019
Our Partner
Web
ADFS ADFS
https://adfs.gopas.cz
https://adfs.book-vendors.com
Our Partner
client client
Our Partner
Web
ADFS ADFS
outgoing claims
Our Partner
client client
83
27. 5. 2019
Our Partner
client client
Our Partner
client client
84
27. 5. 2019
Our Partner
client client
85
27. 5. 2019
Initialize-ADDeviceRegistration
requires Enterprise Admins membership
86
27. 5. 2019
Enable-AdfsDeviceRegistration
Enable-AdfsDeviceRegistration
Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled
$true
87
27. 5. 2019
88
27. 5. 2019
Events
• Application and Service Logs
Microsoft
– Windows
User Device Registration
Tasks
• Microsoft
Windows
– Workplace Join
dsregcmd (runs under SYSTEM, use dsregdns /status)
DSREGCMD parameters
[no parameter]
• must run under SYSTEM
• tries to register if AD contains CN=62a0ff2e-97b9-4513-943f-
0d221bd30080
/debug
• must run under SYSTEM
• debug output for [no parameter] operation
/status
• actual status (no network connections)
/leave
/trigger
• triggers the scheduled task [no parameter] instead of doing the
operation under SYSTEM account directly
89
27. 5. 2019
90
27. 5. 2019
The certificates are on disk only (not in the service's store at all)
• certutil c:\Users\svc-
adfs$\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<thumbprint>
91
27. 5. 2019
OAuth 2.0
Basic motivation
Just another redirection protocol
• “implicit grant”
Different token format JWT
• JSON Web Tokens
• simpler and smaller
Refresh tokens
• issue a new access token
based on a previously
obtained refresh token
92
27. 5. 2019
Client A
GUI or Browser
pwd Monthly
payment for
electricity
pwd
pwd
pwd
Client B
pwd
Random
Bank DB
Web shop services
pwd
password
Protected Resource
Authorization Grant
GUI or Browser Monthly
payment for
electricity
pwd
Authorization
Server
Authorization Grant
password
Authorization Grant
Client B
Random
Bank web service
Bank DB
Web shop services
Protected Resource
93
27. 5. 2019
Authorization Grant
GUI or Browser Monthly
payment for
electricity
pwd
Authorization
Server Access Token
Authorization Grant
password
Authorization Grant
Client B
Random
Bank DB
Web shop services
Access Token
Protected Resource
Authorization Grant
GUI or Browser Monthly
payment for
electricity
pwd
Authorization
kamil B
Server Access Token
Authorization Grant
password
kamil C
Authorization Grant
Client B
Random
Bank web service
Bank DB
Web shop services
Access Token
Protected Resource
94
27. 5. 2019
Authorization Grant
GUI or Browser Monthly
payment for
electricity
pwd
Authorization
kamil B
Server Access Token
Authorization Grant
A kamil bank
password
kamil C
Authorization Grant
Client B
Random
Bank DB
Web shop services
Access Token
C kamil bank
Protected Resource
https://adfs.gopas.cz/adfs/oauth2/authorize
authorization
endpoint
resource
owner
ADFS
GUI or
browser app
authentication request GET
web service
client app B
https://FrontEndWebAppB.sevecek.com
Protected
resource server
https://portal.gopas.cz
95
27. 5. 2019
https://adfs.gopas.cz/adfs/oauth2/authorize
authorization
endpoint
resource
owner
ADFS
GUI or
browser app
authentication request GET
web service
client app B
https://FrontEndWebAppB.sevecek.com
ms-app://localAppOnTheClientMachine Protected
resource server
https://localJavaScriptDummyToken/id
https://portal.gopas.cz
web service
client app B
https://FrontEndWebAppB.sevecek.com
ms-app://localAppOnTheClientMachine Protected
resource server
https://localJavaScriptDummyToken/id
https://portal.gopas.cz
96
27. 5. 2019
web service
client app B
https://FrontEndWebAppB.sevecek.com
ms-app://localAppOnTheClientMachine Protected
resource server
https://localJavaScriptDummyToken/id
https://portal.gopas.cz
web service
client app B
ms-app://localAppOnTheClientMachine Protected
resource server
https://localJavaScriptDummyToken/id
https://portal.gopas.cz
97
27. 5. 2019
Client types
Confidential
• server application which can protect its own credentials
• usually using the authorization grant
Public
• mobile application on the resource owner device
• usually using implicit grant (just like WS-Fed or SAML-P)
• resource owner has access to the client credentials
• native application - GUI, sand-boxed or not
• user-agent based application - JavaScript in browser
GET
https://adfs.gopas.cz/adfs/oauth2/authorize?response_type=code&client_id=87654321-
2222-3333-4444-
123456789012&redirect_uri=https://FrontEndWebAppB.sevecek.com&resource=https://bac
kEndSharedWebService.gopas.cz
GET
https://adfs.gopas.cz/adfs/oauth2/authorize?response_type=code&client_id=01010101-
2222-3333-4444-
123456789012&redirect_uri=https://localJavaScriptDummyToken/id&resource=https://back
EndSharedWebService.gopas.cz
98
27. 5. 2019
POST https://adfs.gopas.cz/adfs/oauth2/token
grant_type=authorization_code&client_id=87654321-2222-3333-4444-
123456789012&redirect_uri=https://backEndSharedWebService&code=[code]
POST https://adfs.gopas.cz/adfs/oauth2/token
grant_type=authorization_code&client_id=01010101-2222-3333-4444-
123456789012&redirect_uri=https://portal.gopas.cz&code=[code]
99