MSIS9321: Received invalid OAuth request.

See original GitHub issue

I am using a Windows Server 2016 virtual machine to test the integration and I have successfully tested that the ADFS works via https://[MY-ADFDS]/adfs/ls/IdpInitiatedSignon.aspx signon test page. This is a portion that pertains to Django-ADFS in my settings.py file:

AUTH_ADFS = { "SERVER": "[MY-ADFS]", "CLIENT_ID": "django_website.adfs.client_id", "RESOURCE": "django_website.adfs.identifier", "AUDIENCE": "microsoft:identityserver:django_website.adfs.identifier", "ISSUER": "http://[MY-ADFS]/adfs/services/trust", "CA_BUNDLE": False, "CLAIM_MAPPING": {"first_name": "given_name", "last_name": "family_name", "email": "email"}, "USERNAME_CLAIM": "winaccountname", "GROUP_CLAIM": "group", "REDIR_URI": "http://[MY-DJANGO-APP]/oauth2/login", }

But still I am getting the following error:

Description: Encountered error during federation passive request.

Additional Data

Protocol Name: OAuthAuthorizationProtocol

Relying Party: django_website.adfs.identifier

Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client ‘django_website.adfs.client_id’ is forbidden to access the resource ‘django_website.adfs.identifier’. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.ValidateCore() at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate() at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

It makes no sense to my since, I ensured that the Relying Party Trust has the Permit everyone attribute.

Do you have any suggestions?

Issue Analytics

State:
Created 5 years ago
Comments:32

Top GitHub Comments

2reactions

alejandroleonbauzocommented, Jun 12, 2018

That’s awesome feature!

1reaction

jobeccommented, Apr 24, 2018

In the claim editing window, add a claim and chose “Send Group Membership as a Claim”.
Set a name and pick a group the user needs to be member of.
As the Outgoing Claim type, type something like user_is_staff and set the Outgoing claim value to yes
In the django settings for django-auth-adfs add a boolean claim mapping like in the docs:

AUTH_ADFS = {
    "BOOLEAN_CLAIM_MAPPING": {"is_staff": "user_is_staff"}
}

Top Results From Across the Web

MSIS9321: Received invalid OAuth request. · Issue #31 - GitHub

I am using a Windows Server 2016 virtual machine to test the integration and I have successfully tested that the ADFS works via ......

ADFS and OIDC integration - Microsoft Community

OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client 'ClientID Number' is forbidden to access the resource ' ...

OAuth configuration with ADFS on 8.1.2 Version - One Identity

We have a SSO enabled on WebPortal which uses OAuth with onpremise ADFS ... OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request.

How do I configure client and relying party trust on Windows ...

MSIS9321 : Received invalid OAuth request. ... permitted: such as OpenID Connect authorization or the ability to request a refresh token.

AD FS – Fixing error message MSIS9605: The client is not ...

OAuthUnauthorizedClientException : MSIS9368: Received invalid OAuth request. ... Encountered error during OAuth token request.