MS ADFS compatibility #209
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
based on the problems described in #207, I would like to discuss an extension to provide compatibility with MS ADFS services. I would like to avoid additional identity brokers just for compatibility reasons.
It is possible to retrieve the required information by decoding the oAuth2 credentials that are already present in the authentication token. It is possible by including the required email attribute in the access token and skipping the user information service call altogether.
There are several ways in which this can be achieved. One way is to make the URL of the user profile optional and read the access token if the URL is not specified. This makes sense in order to preserve compatibility. On the other hand, relying on the access token and skipping the user profile call ought to be an option for any identity provider mechanism.
I have implemented the change locally, and it works this way. I am able to use ADFS to provide the email attribute using claim-based rules that also optionally skip specifying the "email" scope. Let me know if the code snippet might be helpful.
I am looking forward to have this changes implemented.
kind regards,
Ingo
The text was updated successfully, but these errors were encountered: