Share via

3.2.1.2 OAuth 2.0 client

  • Article

Before initiating any protocol requests to the AD FS server, a client must first be registered with the server as described in [RFC6749] section 2.

The mechanism by which a client is registered with the server is implementation-specific and is not addressed in this protocol.

The following is a potential representation for organizing client registration data. The data is organized as a series of records, each representing a client. The fields of this record are as follows:

  • client_id: A string field that uniquely identifies the client.

  • client_type: Either public or confidential as described in [RFC6749] section 2.1. Confidential clients are required to authenticate to the AD FS server as described in [RFC6749] section 2.3 when making requests to the token endpoint (section 3.2.5.2). Confidential clients are only supported if the ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher.

  • Windows_client_authentication_accounts: A collection of identifiers for any Windows accounts that can be used when authenticating this client via Windows client authentication. Any format that uniquely identifies an account can be used. This field is only applicable if the client_type is confidential.

  • sign_certificates: A list of certificates registered by the client to sign future requests that use private_key_jwt as the authentication method, as described in [OIDCCore]. This field is optional and is applicable only if the client_type is confidential.

  • jwks_uri: A URI that hosts a valid JSON Web Key Set (JWK Set) according to the requirements in [RFC7517]. The public keys that are present in the JWK Set are used by the client to sign future requests that use private_key_jwt as the authentication method, as described in [OIDCCore]. This field is optional and is only applicable if the client_type is confidential. The AD FS server stores the public keys that are present in the JWK Set that satisfy all the following requirements. Any keys that do not satisfy the requirements are ignored and not stored by the AD FS server.

    • Field kty, as described in [RFC7517], is "RSA".

    • Field use, as described in [RFC7517], is either "sig" or is not present.

    • Either fields x5t and x5c are present, as described in [RFC7517], or fields kid, n, and e are present, as described in [RFC7517].