Windows AD + OAuth2

139 views
Skip to first unread message

Jørn Wildt

unread,
May 8, 2014, 4:53:28 AM5/8/14
to api-...@googlegroups.com
Hi

I am starting a project where we need to create an OAuth2 bearer token for a Windows AD authenticated user. Does anyone know of any prior work in this area?

Scenario:

- Our REST service exposes a "document" resource which is protected.

- One way to gain access to the resource is to supply a bearer token in the HTTP Authorization header.

- The bearer token can be requested from a OAuth2 service which takes username/password and returns the token (exactly as described in "Resource Owner Password Credentials Grant" http://tools.ietf.org/html/rfc6749#section-4.3).

- Now we need the OAuth2 service to be able to detect the current user by its Windows Domain/AD information in addition to the existing username/password scenario.

- I expect to do this by having the IIS setup to recognize the AD user and read that in the service.

Questions:

- Are anyone aware of an existing standard OAuth2 authorization flow for this purpose?

- Does the IIS/AD authorization imply any kind of performance overhead? I remember something about the protocol being based on some kind of two-step challenge response mechanism.

Thanks, Jørn

Pedro Santos

unread,
May 8, 2014, 7:15:01 AM5/8/14
to api-...@googlegroups.com
Hi Jørn,

If I understand correctly your cenario I think the authorization flow you need to use is the Authorization Code Grant or Implicit Grant where in the step where you are supposed to ask the user for it's password you use instead kerberos authentication (if the browser doesn't submit the token you can always fallback to a form for username/password submission).

If the user has already been authenticated in the domain then the browser should submit the kerberos ticket which you would then have to validate against the AD.

Once the kerbertos ticket is validated you can obtain user info and generate the required bearer token.

Unfortunately I don't know much about IIS, but I guess you probably have a way to have it do the kerberos ticket validation instead of having to validate it yourself against the AD.


Cheers,
Pedro

Jørn Wildt

unread,
May 12, 2014, 9:21:52 AM5/12/14
to api-...@googlegroups.com
Yes, thanks, thats the kind of thing I was looking for. Turns out Google has a nice client developer introduction to the flow https://developers.google.com/accounts/docs/OAuth2UserAgent :-)

/Jørn


--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages