3.2.5.1.1.3 Processing Details

  • Article

The steps performed by the AD FS server to respond to an authorization code request are defined in [RFC6749] section 4.1.2 (Authorization Response).

The following additional processing steps are expected as a result of the extensions included in this document:

  • If the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_1, the AD FS server MUST validate that the resource query parameter was specified by the OAuth 2.0 client.

  • If the OAuth 2.0 client specified the resource query parameter, the AD FS server MUST validate that the resource query parameter specified by the OAuth 2.0 client matches a resource or relying party registered with the AD FS server.

  • If the resource query parameter is invalid or not found to be registered on the AD FS server, the AD FS server must respond to the OAuth 2.0 client as per the requirements of [RFC6749] section 4.1.2.1 (Error Response). The REQUIRED error parameter of the response MUST be set to the invalid_resource error code as defined in section 2.2.4.1.

  • If the OAuth 2.0 client specified the resource_params query parameter the AD FS server MUST base64 URL decode the value of this query parameter, treating padding characters as optional, and convert it to a JSON object for further processing (that is, parse the string value of the query parameter and convert it to a JSON object).

    • If the OAuth 2.0 client specified an authentication method URI as part of the acr element of the resource_params query parameter and if the authentication method is valid, the AD FS server MUST use that authentication method when authenticating the user.

    • If the authentication method specified as part of the acr element is invalid or not supported by the AD FS server, the AD FS server MUST respond to the OAuth 2.0 client according to the requirements of [RFC6749] section 4.1.2.1. The REQUIRED error parameter of the response MUST be set to invalid_request error code as defined in [RFC6749] section 4.1.2.1. This error code is also returned if the value of the resource_params query parameter is invalid (that is, if it cannot be base64 URL decoded or is an invalid JSON-formatted string).

  • If the OAuth 2.0 client specified the amr_values query parameter and did not specify the resource_params query parameter:

    • If the OAuth 2.0 client specified an authentication method that is valid, the AD FS server MUST use that authentication method when authenticating the user.

    • If the authentication method that was specified is invalid or not supported by the AD FS server, the AD FS server MUST respond to the OAuth 2.0 client according to the requirements of [RFC6749] section 4.1.2.1. The REQUIRED error parameter of the response MUST be set to the invalid_request error code as defined in [RFC6749] section 4.1.2.1.

  • If the OAuth 2.0 client specified the login_hint query parameter, the AD FS server SHOULD use the value of the login_hint query parameter as a hint about the login identifier the end user might use to log in.

  • If the OAuth 2.0 client specified either the client-request-id query parameter or the client-request-id HTTP header in the access token request, the AD FS server MUST use the request identifier specified in the request when logging errors or failures that occur while processing that authorization request.

  • If the OAuth 2.0 client specifies both the client-request-id query parameter as well as the client-request-id HTTP header, the AD FS server MUST use the value specified in the query parameter when logging errors or failures that occur while processing that authorization request and ignore the value specified in the HTTP header.

  • If the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher and the OAuth 2.0 client specified the nonce query parameter, the AD FS server includes the provided nonce value in any ID tokens issued for this request as described in [OIDCCore] section 3.1.2.1.

  • If the prompt query parameter is supported and the OAuth 2.0 client provided a value of "none" or "login" for the prompt query parameter, the AD FS server follows the behavior described for the prompt parameter in [OIDCCore] section 3.1.2.1.

    Note: Support for the prompt parameter depends on the AD FS server's ad_fs_behavior_level and the product version. See section 2.2.2 for support information.

  • If the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher and the OAuth 2.0 client specified the max_age query parameter, the AD FS server follows the processing rules for the max_age parameter described in [OIDCCore] section 3.1.2.1.

  • If the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_2 or higher and the OAuth 2.0 client specified the id_token_hint query parameter, the AD FS server follows the processing rules for the id_token_hint parameter described in [OIDCCore] section 3.1.2.1.

  • If the AD FS server's ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_3 or higher and the OAuth 2.0 client included the mfa_max_age query parameter, the AD FS server calculates, in an implementation-specific manner, the time that has elapsed since the end user last performed multiple factor authentication. If this time cannot be calculated, or if the elapsed time is greater than the calculated value, AD FS MUST attempt to actively perform multiple factor authentication of the end user. If multiple factor authentication succeeds, the mfa_auth_time claim is added to the ID token. This claim represents the time when the end user last performed multiple factor authentication. Its value is a JSON number representing the number of seconds from January 1, 1970, 00:00:00 (UTC) until the current date/time.