Our client would like for us to utilize ADFS 2012 R2 (aka 3.0) as the primary means for two security features in internal apps that we are building:
- The web app (there are two .NET & Angular) and an iOS app will use the OAUTH flow within ADFS
- Upon completion of the token flow, the JWT created by ADFS will be passed to a RESTful API that is being created with Spring
- The Spring API will then need to validate the JWT before allowing the call to proceed
Using ADFS for the OAUTH flow is new to us and a few questions have popped up. We've scoured the Internets looking for answers. Many of them are singly focused on delivering a solution using MS only tech (ADAL, .NET/C# based APIs, OWIN, Katana). Thus, we hoped to crowd-source an answer via SE. Any and all help is much appreciated.
At this point, we have been able to:
- Register an OAUTH client with the PowerShell command in ADFS
- Register a "fake" Resource as a Relying Party in ADFS
- Setup our clients to make a call to ADFS to authorize and then get the returned JWT
This link was very helpful in explaining the setup:
Now, we need to put the code in place in the Spring API to verify the JWT.
In all examples of OAUTH flow, there is a shared secret between the issuing party and the client. This secret is used to verify that the JWT has not been spoofed.
In the setup we have done thus far in ADFS, there is no definition of a secret key or shared secret. We can grab the JWT from the authorization header and decode it. But we seem to have no means to verify the signature.
Are we missing something here?
Our options if we do not get this to work are:
- Use Oracle Identity Manager / Access Manager (already in-house)
- Bring WSO2 Identity Manager into the picture
Aucun commentaire:
Enregistrer un commentaire