Double-check your application's scope configuration in both your application and ADFS. Ensure that the scopes you've defined in your OpenID configuration match those you've configured in ADFS. Ensure that the scope 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' is defined and allowed for your client in ADFS.
ADFS and OIDC integration
Good morning community,
i'm implementing an integration with ADFS for implementing user authentication between my application and ADFS.
So i registered successfully my application on ADFS and retrieved the client-id and secret-id and setup the redirect URL.
After that i imported the ADFS certificate into my app and performed the OpenID configuration successfully using these parameters:
Discovery URL: https://ADFS-hostname/adfs/.well-known/openid-configuration
Authorization URL: https://ADFS-hostname/adfs/oauth2/authorize/
Token URL: https://ADFS-hostname/adfs/oauth2/token/
JWT URL: https://ADFS-hostname/adfs/discovery/keys
Scope:vpn_cert aza email logon_cert user_impersonation openid profile
Client ID
Client Secret
Then i created the Relying Party into ADFS with the following information:
Relying Party identifiers: https://ADFS-hostname/adfs/oauth2/authorize/
Access Control Policy: Permit Everyone.
But when i try to login then i'm redirect correctly from my App to ADFS but i receive the following error:
Encountered error during federation passive request.
Additional Data
Event ID 364
Protocol Name:
OAuthAuthorizationProtocol
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client 'ClientID Number' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope'.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthTokenBrokerAuthorizationRequestContext.ValidateBroker()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthTokenBrokerAuthorizationRequestContext.ValidateCore()
at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.PreAuthenticationProcess(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Any hints or suggestions will be appriciated.
Regards
Mario