Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Oauth2 issue with ADFS 4.0 #693

sn00wden opened this issue Aug 16, 2023 · 5 comments

Oauth2 issue with ADFS 4.0 #693

sn00wden opened this issue Aug 16, 2023 · 5 comments


Copy link

I'm using latest STF version.
LDAP works fine, but we need oauth2.
STF starts by system-d units.

Body of stf-auth@.service :

Description=STF OAuth2

ExecStartPre=-/usr/bin/docker kill %p-%i
ExecStartPre=-/usr/bin/docker rm %p-%i
ExecStart=/usr/bin/docker run --rm
--name %p-%i
-v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro
--link rethinkdb-proxy-28015:rethinkdb
-e "OAUTH_CLIENT_ID=client_adfs"
-e "OAUTH_CLIENT_SECRET=secret_adfs"
-e "OAUTH_SCOPE=openid email"
-p %i:3000
stf auth-oauth2 --port 3000
ExecStop=-/usr/bin/docker stop -t 10 %p-%i

In new incognito windows, I try , then get authorize notification, select certificate, write pass, then I'm redirected to***
with error:

InternalOAuthError: Failed to obtain access token
    at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:423:17)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:162:5)
    at ClientRequest.emit (node:events:527:28)
    at TLSSocket.socketErrorListener (node:_http_client:454:9)
    at TLSSocket.emit (node:events:527:28)
    at emitErrorNT (node:internal/streams/destroy:164:8)
    at emitErrorCloseNT (node:internal/streams/destroy:129:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

How can I solve this?

Copy link

@cert-x your configuration seems correct althrough I am not sure your ca-certificates is required (i.e. try to drop it), perhaps your STF server (resource server) is not able to reach the ADFS server (OAuth server) during the token validation step due to a missing firewall rule, you should take a network trace to see exactly what is happened.

Copy link

@denis99999 thank you.
I'm able to reach adfs, then get authorize page, then receive token and get to the callback url page...with this error.
If I do not use ca-sertificates, I get next err:

TokenError: MSIS9612: The authorization code received in 'code' parameter is invalid. 
    at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:373:12)
    at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:420:16)
    at /app/node_modules/passport-oauth2/lib/strategy.js:177:45
    at /app/node_modules/oauth/lib/oauth2.js:191:18
    at passBackControl (/app/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (node:events:539:35)
    at endReadableNT (node:internal/streams/readable:1345:12)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

But googling gives nothing, causer we have 1 node ADFS and SQL Server

Copy link

@cert-x it seems the code returned is invalid, you should request to ADFS support because it does not seem an issue from STF but between your resource server and the oAuth server (i.e. you should take a full network trace to identify that), sorry I am not able to help you anymore on that issue, what I can say is that it works well in my side using either oAuth 2.0 or SAML 2.0 protocols in front of my company Authentication servers.

Copy link

sn00wden commented Sep 8, 2023

@denis99999, hello!
What names of claims should we get from ADFS?

Copy link

@cert-x, I don't really understand your question, I don't know ADFS but what I understand is that ADFS is the authentication server that issued you an Oauth 2.0 partnership for ADFS, so if it does not work with STF, I suggest you contact the ADFS support team to verify your Oauth 2.0 partnership for ADFS and test it using a 3rd party baseline tool, I know some people use Postman for this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

2 participants