Implementing a client credential flow in ADFS 4.0

I needed to do this recently and I couldn’t find a sample anywhere so wrote this up.

There is a sample for building a server side application using OAuth confidential clients with AD FS 2016 or later.

The required ADFS configuration is covered in this sample.

Mine looked like:

I also had a custom claims rule to issue everything:

c:[]
=> issue(claim = c);

Note that there is a section on “Upgrade the database”. My VS2017 project worked out of the box without having to do any of this.

This shows the changes needed to an Azure AD sample to work with ADFS. But it’s for a confidential client and it doesn’t have anything about calling an API.

So I used this Azure AD sample for calling a Web API in a daemon app or long-running process. I then applied the changes as per the above OAuth confidential clients sample.

The gist of all the changes is here.

The changes are marked with:

// Changed

A daemon application has no user context. Everything is in the context of the application i.e. exactly the use case to use a client credential flow.

You will see I commented out all the claims stuff. This is because the claims rules in ADFS run off a primary key of sAMAccountName. But when you have no user context, this is meaningless.

Running up the sample and manually running TodoListDaemon gives:

Posting to To Do list at 4/07/2019 8:27:57 AM
Successfully posted new To Do item: Task at time: 4/07/2019 8:27:57 AM

Retrieving To Do list at 4/07/2019 8:27:59 AM
Task at time: 4/07/2019 8:27:57 AM
Total item count: 1

Posting to To Do list at 4/07/2019 8:28:01 AM
Successfully posted new To Do item: Task at time: 4/07/2019 8:28:01 AM

Retrieving To Do list at 4/07/2019 8:28:03 AM
Task at time: 4/07/2019 8:27:57 AM
Task at time: 4/07/2019 8:28:01 AM
Total item count: 2

All good!