We have a Windows 2016 ADFS 4.0 farm (WID database, not SQL Server) hosted in Azure.
We are working with a new OpenID Connect application, and want to use ADFS to authenticate and populate user profiles from AD. The application is using a shared secret for the JWT config.
This was very easy to configure in our Test environment (single node farm).
When we configured the same application server on our production ADFS server, we were initially successful, but after logging in, we started to intermittently get login errors. After you log in to ADFS, you are sent to the callback URL. This redirects you to a login page, and on that page is a modal dialog box with this error message: Call to IdP failed to get identity
If we hit refresh a few times, eventually, the application will allow us into the application. When we ran a fiddler trace on the bad connection, we found this error:
{"errorCodeString":"camAuthUnrecoverable",
"messages":[{"messageString":"Call to IdP failed to get identity. Status 400\nError: invalid_grant\nError description: MSIS9612: The authorization code received in 'code' parameter is invalid. "}],
"promptInfo":{"captions":["Call to IdP failed to get identity"]}}
I found errors in ADFS event viewer with this sort of message:
Encountered error during OAuth token request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException:
MSIS9252: The authorization code received is invalid.
No artifact found for the specified authorization code: '//redacted//'.
The cause may be that artifact has timed out, or the authorization code was replayed, or the authorization code is invalid.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext)
In every case we were able to log in after we hit reload a number of times.
When we reduced the number of nodes in the farm to 1, the issue appeared to disappear, and reappeared when we re-added the nodes.
Have others run into this issue when setting up openid connect/oAuth2 apps? How did you resolve this?
While SAML2 artifact resolution is not supported in ADFS 4.0 using WID, there isn't anything saying the same issue applies to OpenID Connect, although it's my only guess as to the issue. Is it worth the expense to convert ADFS to use a SQL Server cluster?
This is a problem if you:
Unlike (most) SAML connections, OIDC retrieves data directly from the IDP.
ADFS+SQLexpress only shares configuration between nodes, so if your application tries to retrieve tokens from a different farm node than the one you authenticated to, it will fail.
The quick answer is to switch ADFS from a SQLExpress configuration to a SQL Server implementation. When I did that, OIDC worked consistently.
Documentation for this is hard to come by. My sources have disappeared, I will put my notes online and provide a link to it when I get a chance.
Old links that don't work anymore: