Bug in ADFS. OAuth access token can be requested in UTC time zone only

9 בספטמבר 2013

3 comments

My friend Assaf Israel showed me a bug in the new ADFS version in Windows Server 2012 Preview.

When calling ADFS endpoint /oauth/authorize to get an authorization token the server will call the method BeginAdd in the class Microsoft.IdentityServer.Server.ArtifactResolutionService.ArtifactService
to creates an artifact with an authorization token and store it in the database.
The server will set the expiration date to be UTC time + 5 min.
if (DateTime.Compare(artifact.Expire,DateTime.MinValue) == 0)
artifact.Expire = DateTime.UtcNow.AddSeconds((double).artifactService.LifetimeInSeconds);

When calling /oauth/authorize to get an OAuth Access Token the server loads the record from the database (with the authorization token) and check if it is valid. The problem is that the code checks the artifact against the current time and not against the UTC time.

The code in the method FetchArtifactFromLocalDatabase in the class Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OauthTokenProtocolHandler
if (artifact == null || DateTime.Compare(artifact.Expire, DateTime.Now)< 0)

In time zones such as Israel (GMT + 2) this check will always fail.
In time zone such as US West cost (GMT -8) this check will succeed.
So anywhere eastern to England you must use UTC time to get an access token from ADFS!!!

I reported this bug in Microsoft Connect.

Hope They will fix it.

Manu

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

3 comments

  1. Andre16 בספטמבר 2013 ב 5:11

    Hi Manu

    After reading your article I assume you achieved it to get the new oauth2 endpoint in Windows 2012 r2 to work.

    I tried to register a mvc site by using the Add-AdfsClient command, but I can't find any documentation about how to call the /adfs/oauth2/authorize endpoint.
    Do you have an example?

    Kind Regards
    Andre, andre.hirter@akros.ch

    Reply
  2. Manu Cohen-Yashar16 בספטמבר 2013 ב 15:12

    static string GetAccessToken_Simple()
    {
    AuthenticationContext authenticationContext = new AuthenticationContext("https://server2012r2.manu.com/adfs", false);
    AuthenticationResult authResult = authenticationContext.AcquireToken("https://localhost/API/KatanaADFS_WebAPISample",
    "3fb2a37f-4ced-409c-937c-dddd776f4dfd",
    new Uri("ms-app://s-1-15-2-1484466441-3861264668-3662613691-1215714229-3657298605-3378816624-3063619765/"));
    return authResult.AccessToken;
    }

    Reply
  3. gyjjyk2 בנובמבר 2013 ב 3:12

    cgCwI3 ucqzgauhytfs, [url=http://tyitvwasjhiz.com/]tyitvwasjhiz[/url], [link=http://onnbwseppzxk.com/]onnbwseppzxk[/link], http://spuxxpzrbdzj.com/

    Reply