django-auth-adfs: MSIS9321: Received invalid OAuth request.

I am using a Windows Server 2016 virtual machine to test the integration and I have successfully tested that the ADFS works via https://[MY-ADFDS]/adfs/ls/IdpInitiatedSignon.aspx signon test page. This is a portion that pertains to Django-ADFS in my settings.py file:

AUTH_ADFS = { "SERVER": "[MY-ADFS]", "CLIENT_ID": "django_website.adfs.client_id", "RESOURCE": "django_website.adfs.identifier", "AUDIENCE": "microsoft:identityserver:django_website.adfs.identifier", "ISSUER": "http://[MY-ADFS]/adfs/services/trust", "CA_BUNDLE": False, "CLAIM_MAPPING": {"first_name": "given_name", "last_name": "family_name", "email": "email"}, "USERNAME_CLAIM": "winaccountname", "GROUP_CLAIM": "group", "REDIR_URI": "http://[MY-DJANGO-APP]/oauth2/login", }

But still I am getting the following error:

Description: Encountered error during federation passive request.

Additional Data

Protocol Name: OAuthAuthorizationProtocol

Relying Party: django_website.adfs.identifier

Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client ‘django_website.adfs.client_id’ is forbidden to access the resource ‘django_website.adfs.identifier’. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.ValidateCore() at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate() at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

It makes no sense to my since, I ensured that the Relying Party Trust has the Permit everyone attribute.

Do you have any suggestions?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 32

Most upvoted comments

That’s awesome feature!

+2
alejandroleonbauzo on Jun 12, 2018
  1. In the claim editing window, add a claim and chose “Send Group Membership as a Claim”.
  2. Set a name and pick a group the user needs to be member of.
  3. As the Outgoing Claim type, type something like user_is_staff and set the Outgoing claim value to yes
  4. In the django settings for django-auth-adfs add a boolean claim mapping like in the docs:
AUTH_ADFS = {
    "BOOLEAN_CLAIM_MAPPING": {"is_staff": "user_is_staff"}
}
+1
jobec on Apr 24, 2018

Oh wait, you mean the ADFS side of things… Yes, that’s bit more difficult. That feature was a contribution but I never really tried the ADFS config myself 😇 I’ll figure it out and let you know.

+1
jobec on Apr 24, 2018
Read more comments on GitHub
← django-auth-adfs: Groups is empty
django-auth-adfs: When granting user consent initial redirect to /oauth2/callback returns No authorization code was provided. →