Manual Chapter : About OAuth Client

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

About OAuth Client

An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:
Server
Specifies the OAuth server to which this OAuth client directs requests.
Grant Type
Specifies the type of grant that the OAuth client uses.
  • Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
  • Password - The client uses resource owner password credentials to request an access token from the OAuth server.
OpenID Connect
Specifies whether the agent uses OpenID Connect for authorization. Displays when
Grant Type
is set to
Authorization code
.
To function correctly when enabled, the OAuth provider (associated with the selected
Server
) must be configured to support JSON web tokens.
OpenID Connect Flow Type
Specifies the OpenID Connect flow type to use:
Authorization code
or
Hybrid
.
OpenID Connect Hybrid Response Type
Specifies the response type to use for an OpenID Connect hybrid flow:
code-idtoken
,
code-token
, or
code-idtoken-token
.
Authentication Redirect Request
Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
Grant Type
is set to
Authorization code
.
Token Request
Specifies a token-request type of request.
Refresh Token Request
Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
OpenID Connect UserInfo Request
Specifies an openid-userinfo-request type of request. Displays when
OpenID Connect
is set to
Enabled
. JWT access tokens can be submitted for an OpenID Connect UserInfo request; however, issuing id_tokens alongside an opaque token is not supported.
Redirection URI
Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays when
Grant Type
is set to
Authorization code
.
Scope
Specifies one or more strings separated by spaces; for example
contacts photo email
. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.
For the
Authorization code
grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the
Password
grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.
Requests are configured in the
Access
Federation
OAuth Client / Resource Server
Requests
area of the product.