Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The OAuth 2.0 Protocol Extensions for Broker Clients define extensions to [RFC6749] and [MS-OAPX]. A prerequisite to implementing the OAuth 2.0 Protocol Extensions is that the REQUIRED parts of [RFC6749] have been implemented on the AD FS server.
These extensions also assume that if the OAuth 2.0 client requests authorization for a particular resource, or relying party, secured by the AD FS server, the client knows the identifier of that resource. These extensions also assume that the OAuth 2.0 client knows its own client identifier and all relevant client authentication information if it is a confidential client.
The client runs on a device for which there is a corresponding msDS-Device object in Active Directory with the following additional requirements:
The client has access to the private key of a device certificate (defined in section 3.1.1). The public portion of the device certificate is stored in the altSecurityIdentities attribute of the device's msDS-Device object in Active Directory.
The OAuth 2.0 Protocol Extensions for Broker Clients assume that they, the OAuth 2.0 Protocol Extensions [MS-OAPX], and the OpenID Connect 1.0 Protocol Extensions [MS-OIDCE], if being used, are all be running on the same AD FS server.