ADFS 3.0 + Oauth2.0

搭建 ADFS 之后,默认已经开启了 Oauth2.0.

注意添加或者使用已有的 信赖方信任 , 增加一个自己的标识符

参考 https://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

http://www.gi-architects.co.uk/2016/04/setup-oauth2-on-adfs-3-0/

如果遇到:
error=invalid_resource&error_description=MSIS9602%3a+The+received+%27resource%27+parameter+is+invalid.+The+authorization+server+can+not+find+a+registered+resource+with+the+specified+identifier.
说明 未信任 或者 标识符传错了

以下为具体的实验过程:

1. powershell Add-ADFSClient -Name "OAUTH2 Test Client" -ClientId "todd" -RedirectUri "http://192.168.0.20:3000/getAToken"

2. https://win-r9jnunkcelj.rinsys.com/adfs/oauth2/authorize?response_type=code&client_id=todd&resource=urn%3Arelying%3Aparty%3Atrust%3Aidentifier&redirect_uri=http%3A%2F%2F192.168.0.20%3A3000%2FgetAToken
   ->
   https://win-r9jnunkcelj.rinsys.com/adfs/oauth2/authorize?response_type=code&client_id=todd&resource=urn:relying:party:trust:identifier&redirect_uri=http://192.168.0.20:3000/getAToken

3. 跳转回来
   http://192.168.0.20:3000/getAToken?code=e2mLrbaVpE2FWqoMNi22mA.8HELk0v51ggBAJG8n-ZHcAqXb_g.ZkFq_HFfJaGRVlahEtt4UObe790oNKRkLs3j4vDpOWCOZO3X3Pk4nSiuPmbVCcUaCxbuB8g6FvEP-6c6NpUBleJ0ONsSL3qoNuaY1WtWZI2jXvvpB3NEIyQa6YB8TD3qfojLmjWiqqrcHp6KpDj2FOiCM1dZ3TUee5JNJkT9h9LqjuVdDOQiGvoU8XNTkPodxB2V9pLWO3jNzjXrafO38A1eEj2ZsvxvYOU1Fa_ufQnsE49deV2pAln7NpPOMxDt-DKOguT9USLaryQz9Unfo5iQJzCD66TqLYNSctLdw7_L8P3DcjFnKAKXK4vq5a75FunE664FqftEs5FLYzfTDg

发送
POST /adfs/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: your.adfs.server
Content-Length:

grant_type=authorization_code&client_id=some-uid-or-other&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FgetAToken&code=thecode

遇到错误:
{
"error": "invalid_request",
"error_description": "MSIS9609: The 'redirect_uri' parameter is invalid. No redirect uri with the specified value is registered for the received 'client_id'. "
}
特么的 竟然是因为 URL encode 了 redirect_uri . 因为是 POST,不用encode 这个参数.

5.获取Token:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjBzTVZIOXlVdFlyaFhCd0hOcTdRejZrRm5XZyJ9.eyJhdWQiOiJ1cm46cmVseWluZzpwYXJ0eTp0cnVzdDppZGVudGlmaWVyIiwiaXNzIjoiaHR0cDovL1dJTi1SOUpOVU5LQ0VMSi5yaW5zeXMuY29tL2FkZnMvc2VydmljZXMvdHJ1c3QiLCJpYXQiOjE1NjE0NTQzOTQsImV4cCI6MTU2MTQ1Nzk5NCwidXBuIjoiQWRtaW5pc3RyYXRvckByaW5zeXMuY29tIiwidWlkIjoiQWRtaW5pc3RyYXRvciIsInN1YiI6ImFkbWluaXN0cmF0b3JAcmluc3lzLmNvbSIsImF1dGhfdGltZSI6IjIwMTktMDYtMjVUMDk6MDA6MzAuMTAyWiIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsInZlciI6IjEuMCIsImFwcGlkIjoidG9kZCJ9.R7YOyp986M6sYPrjyCI5JAVEZ0XTat9i89Hi8PeV4xQbe5NLrjO6CqpN2v_C_sCj5PgGyBMkAHKX4Bgyf3s4eisilrsU7t08td2nYU05rzHL8IHF_Emv0B2s0OsbY5kkACI8iYAW0rQ7ZpfUitWgygTR-GtvBnZfAfn65OpEX87Gt_x6hXL88Oacia9Le1tBFX3MiK3ShrsIv4LrSaFw5HxfN_yfieZqxndmuXOL3tcna1jyamUdmMa4WcfdNwSRlxwVlUZvbGYxSHXgSwfUvak_zkekAEFI5QtNup85ZBp1JPehlXePOBLJ_ZGErIbt-5lmHT6uX2H--qKGEFbYeg",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "_bhAioyNOFP-uPNqFdMUf3SW4RIyMaRcW1uFsnTohr4AAQAAKHBS9_LiM8OMqOH7mNv6JT_D1fm3LilU-bJGPi-6uHvW-mSkDHqgqy2JhdAocmsNZ08Duzcf6PV5pO9Z-CX-4EvuYTC7silc043QLXl1MOOxhw2V5sC6hrjO5BsUWXLRoGKerWrCAaW1TwS1bb9G1XtTgGigX2UjvcN8Z0u9_RV-"
}