AFDS - How do I get a token to authenticate a call from my ASP.NET Core MVC Site to my ASP.NET Core Web API?

Jeffrey Schulz 1 Reputation point
2021-01-14T00:52:45.507+00:00

I am trying to get a token from my ADFS Server to authenticate a call from my ASP.NET Core MVC Site to my ASP.NET Core Web API.Can someone give me an idea of where I am going wrong or point me to some examples / instructions on how to set this up?

We are not using Azure and most examples I find use azure.

ERROR:

Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInvalidOBOAssertionException: MSIS9387: Received invalid OAuth request. Audience 'urn:microsoft:userinfo' in the 'assertion' is not same as the identifier of the client ‘xxreplacedfakedataxx'.

CODE:

        var openIdToken = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");  //access_token or id_token

        var clientCredential = new ClientCredential(_clientId, _secret);

        var authContext = new AuthenticationContext(_authority, false);

        // Get ADFS token but using openID token

        if (openIdToken != null)

        {

            const string assertionType = "urn:ietf:params:oauth:grant-type:jwt-bearer";

            var userAssertion = new UserAssertion(openIdToken, assertionType);

            var token = await authContext.AcquireTokenAsync(_audience, clientCredential, userAssertion);

            return token.AccessToken;

        }

ERROR:
{"MSIS9649: Received invalid OAuth request. The 'assertion' parameter value is not a valid access token."}

CODE:

        var openIdToken = await _httpContextAccessor.HttpContext.GetTokenAsync("id_token");  //should this be access_token or id_token, I tried both but no luck

        var clientCredential = new ClientCredential(_clientId, _secret);

        var authContext = new AuthenticationContext(_authority, false);

        // Get ADFS token but using openID token

        if (openIdToken != null)

        {

            const string assertionType = "urn:ietf:params:oauth:grant-type:jwt-bearer";

            var userAssertion = new UserAssertion(openIdToken, assertionType);

            AuthenticationResult authenticateResult = null;

            try

            {

                authenticateResult = await authContext.AcquireTokenAsync(_audience, clientCredential, userAssertion);

            }

            catch (Exception ex)

            {

                    throw new Exception(ex.ToString(), ex);

            }

            return authenticateResult?.AccessToken;

        }
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,277 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.