Docs feedback - feature proposal: ADFS oAuth2 Authentication
Problem to solve
issue identified with method followed by adfssrv oAuth2 authentication
Intended users
all corporate user who want to use inhouse identity for authentication by default
Further details
Below are the logs for the test case using adfssrv oAuth2 authentication, where we were unable to retrieve user profile details under user info page from adfssrv
March 25, 2019 20:36: (OAuth) Error saving user (): ["Email can't be blank", "Notification email can't be blank"]
Proposal
Ad per Microsoft KB for ADFS, resource URL must be included in every request Sent to ADFS Server : Link 1 for custom-id-tokens-in-ad-fs
Link 2 for ad-fs-scenarios-for-developers ad-fs-scenarios-for-developers
-
Authorization request:
-
Parameter | Value
-
response_type |"code"
-
resource | RP ID (Identifier) of Web API in application group
-
client_id | Client Id of the native application in the application group
-
redirect_uri | Redirect URI of web app (server application) in application group
-
Token request:
-
Parameter | Value
-
grant_type | "authorization_code"
-
code | authorization code from 2 above
-
resource | RP ID (Identifier) of Web API in application group
-
client_id | Client Id of the web app (server application) in the application group
-
redirect_uri | Redirect URI of web app (server application) in application group
-
client_secret | Secret of the web app (server application) in the application group.
-
Note: The client's credential does not need to be a client_secret. AD FS supports the ability to use certificates or Windows Integrated Authentication as well.
Similarly While initiating flow to request user info from ADFS, Gitlab must include Resource in URL.
Permissions and Security
Ad per Microsoft KB for ADFS, resource URL must be included in every request Sent to ADFS Server, While retrieving token from ADFS, ADFS will return additional claims as defined in ADFS Settings. on getting user profile info using same token along with resource URL, it will return all user profile properties as per custom claim configuration. these are the property like, first name, last name, email address, group membership, etc.
Documentation
See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements
What does success look like, and how can we measure that?
tested Partial Functionality with minor change in Token request URL by adding resource=(Gitlab Callback URL again) below are the logs collected from adfssrv Server
Below are the 2 events generated post requesting token without specifying resource in URL:
You may take a note of RelyingParty under event id 1202 and 1200 respectively.
https://adfssrv.domain.com/adfs/oauth2/authorize/?client_id=df885c03-b3f0-4b08-be4d-43b29db60ae0&redirect_uri=http%3A%2F%2F10.1xx.2x.1x%2Fusers%2Fauth%2Foauth2_generic%2Fcallback&response_type=code&scope=openid+email+group&state=e8e2cff88df4ccdc94d519cc32950b63525c18f0e4986ddf&client-request-id=9a2c1654-43f8-4d0d-d305-0080000000bd&pullStatus=0
Log Name: Security
Source: AD FS Auditing
Date: 3/25/2019 9:54:52 PM
Event ID: 1202
Task Category: (3)
Level: Information
Keywords: Classic,Audit Success
User: domain\adfssrvgmsa$
Computer: domaincontroller.domain.COM
Description:
The Federation Service validated a new credential. See XML for details.
Activity ID: 53c2335b-a1c8-4608-e507-0080020000cd
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
<AuditType>FreshCredentials</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>**http://adfssrv.domain.com/adfssrv/services/trust**</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>domain\testuser</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>N/A</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>**http://adfssrv.domain.com/adfssrv/services/trust**</Server>
<AuthProtocol>OAuth</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>10.1xx.1xx.1xx</IpAddress>
<ForwardedIpAddress />
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0</UserAgentString>
<Endpoint>**/adfssrv/oauth2/authorize/**</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Auditing" />
<EventID Qualifiers="0">1202</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime="2019-03-25T16:24:52.039036300Z" />
<EventRecordID>803174</EventRecordID>
<Channel>Security</Channel>
<Computer>domaincontroller.domain.COM</Computer>
<Security UserID="S-1-5-21-3634922323-348003478-4011813920-1112" />
</System>
<EventData>
<Data>53c2335b-a1c8-4608-e507-0080020000cd</Data>
<Data><?xml version="1.0" encoding="utf-16"?>
============================================================
Log Name: Security
Source: AD FS Auditing
Date: 3/25/2019 9:54:52 PM
Event ID: 1200
Task Category: (3)
Level: Information
Keywords: Classic,Audit Success
User: domain\adfssrvgmsa$
Computer: domaincontroller.domain.COM
Description:
The Federation Service issued a valid token. See XML for details.
Activity ID: 53c2335b-a1c8-4608-e507-0080020000cd
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
<AuditType>AppToken</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>**urn:microsoft:userinfo**</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>domain\testuser</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>TokenUnbound</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>**df885c03-b3f0-4b08-be4d-43b29db60ae0**</OAuthClientId>
<OAuthGrant>code</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>**http://adfssrv.domain.com/adfssrv/services/trust**</Server>
<AuthProtocol>OAuth</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>10.1xx.1xx.1xx</IpAddress>
<ForwardedIpAddress />
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0</UserAgentString>
<Endpoint>/adfssrv/oauth2/authorize/</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Auditing" />
<EventID Qualifiers="0">1200</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime="2019-03-25T16:24:52.117151500Z" />
<EventRecordID>803179</EventRecordID>
<Channel>Security</Channel>
<Computer>domaincontroller.domain.COM</Computer>
<Security UserID="S-1-5-21-3634922323-348003478-4011813920-1112" />
</System>
<EventData>
<Data>53c2335b-a1c8-4608-e507-0080020000cd</Data>
<Data><?xml version="1.0" encoding="utf-16"?>==================================================================
While simile testing performed by adding resource in request URL. and RelyingParty has actual resource entry.
https://adfssrv.domain.com/adfs/oauth2/authorize/?client_id=df885c03-b3f0-4b08-be4d-43b29db60ae0&resource=http%3A%2F%2F10.1xx.2x.1x%2Fusers%2Fauth%2Foauth2_generic%2Fcallback&redirect_uri=http%3A%2F%2F10.1xx.2x.1x%2Fusers%2Fauth%2Foauth2_generic%2Fcallback&response_type=code&scope=openid+email+group&state=e8e2cff88df4ccdc94d519cc32950b63525c18f0e4986ddf&client-request-id=9a2c1654-43f8-4d0d-d305-0080000000bd&pullStatus=0
Log Name: Security
Source: AD FS Auditing
Date: 3/25/2019 9:57:32 PM
Event ID: 1202
Task Category: (3)
Level: Information
Keywords: Classic,Audit Success
User: domain\adfssrvgmsa$
Computer: domaincontroller.domain.COM
Description:
The Federation Service validated a new credential. See XML for details.
Activity ID: c8eed3a4-8974-4495-ef07-0080020000cd
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
<AuditType>FreshCredentials</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>**http://10.1xx.2x.1x/users/auth/oauth2_generic/callback**</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>domain\testuser</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>N/A</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>http://adfssrv.domain.com/adfssrv/services/trust</Server>
<AuthProtocol>OAuth</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>10.1xx.1xx.1xx</IpAddress>
<ForwardedIpAddress />
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0</UserAgentString>
<Endpoint>**/adfssrv/oauth2/authorize/**</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Auditing" />
<EventID Qualifiers="0">1202</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime="2019-03-25T16:27:32.935833200Z" />
<EventRecordID>803188</EventRecordID>
<Channel>Security</Channel>
<Computer>domaincontroller.domain.COM</Computer>
<Security UserID="S-1-5-21-3634922323-348003478-4011813920-1112" />
</System>
<EventData>
<Data>c8eed3a4-8974-4495-ef07-0080020000cd</Data>
<Data><?xml version="1.0" encoding="utf-16"?>
====================================================
Log Name: Security
Source: AD FS Auditing
Date: 3/25/2019 9:57:33 PM
Event ID: 1200
Task Category: (3)
Level: Information
Keywords: Classic,Audit Success
User: domain\adfssrvgmsa$
Computer: domaincontroller.domain.COM
Description:
The Federation Service issued a valid token. See XML for details.
Activity ID: c8eed3a4-8974-4495-ef07-0080020000cd
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
<AuditType>AppToken</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>**http://10.1xx.2x.1x/users/auth/oauth2_generic/callback**</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>domain\testuser</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>TokenUnbound</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>**df885c03-b3f0-4b08-be4d-43b29db60ae0**</OAuthClientId>
<OAuthGrant>code</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>**http://adfssrv.domain.com/adfssrv/services/trust**</Server>
<AuthProtocol>OAuth</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>10.1xx.1xx.1xx</IpAddress>
<ForwardedIpAddress />
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0</UserAgentString>
<Endpoint>**/adfssrv/oauth2/authorize/**</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Auditing" />
<EventID Qualifiers="0">1200</EventID>
<Level>0</Level>
<Task>3</Task>
<Keywords>0x80a0000000000000</Keywords>
<TimeCreated SystemTime="2019-03-25T16:27:33.013934500Z" />
<EventRecordID>803193</EventRecordID>
<Channel>Security</Channel>
<Computer>domaincontroller.domain.COM</Computer>
<Security UserID="S-1-5-21-3634922323-348003478-4011813920-1112" />
</System>
<EventData>
<Data>c8eed3a4-8974-4495-ef07-0080020000cd</Data>
<Data><?xml version="1.0" encoding="utf-16"?>