While building a mobile application in Xamarin I ran into an issue with authentication through ADFS. I'm running AD and ADFS on a VPS and I want the mobile app to authenticate through there to access a Web Api. I have the Active Directory Authentication Library (ADAL) installed in the app and it seems to be working fine when I use https://login.windows.net/common as the authority.
But when I try to use my own domain https://www.example.com/adfs as the authority the ADAL request always returns The authorization server returned an invalid response.
I tried doing a manual request through my browser like this:
https://www.example.com/adfs/oauth2/authorize?response_type=code&client_id=xxxxxxx&redirect_uri=xxxxxx&resource=xxxxxxxx
This request works fine as it shows me the login page, but after a succesful login it redirects to the redirect uri with a general error message. I had to go to the server's ADFS logs to find the following error: Unsupported token type.
Am I missing something in the ADFS configuration or ADAL implementation?
ADAL uses OAuth not WS-Fed or SAML.
ADFS 3.0 has very limited OAuth support - for full support you need ADFS 4.0.
This article describes what you need to do.
https://login.windows.net/common is Azure AD and has full support and hence works.
Note that you need to use PowerShell to configure the RP as per the article.