Manual Chapter : OAuth Client and Resource Server

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0, 15.1.1, 15.1.0
Manual Chapter

OAuth Client and Resource Server

OAuth 2.0 authorization servers that APM supports

Access Policy Manager (APM) supports OAuth 2.0 only. When configured as an OAuth client and resource server, APM has been tested with these OAuth authorization servers:
  • AzureAD - Azure Active Directory
  • F5 - APM configured as an OAuth authorization server
  • Facebook
  • Google
  • Okta* - See considerations below
  • Ping Identity - PingFederate
For compatibility information, see release notes for APM on the AskF5 web site located at
support.f5.com
.
APM also supports the configuration of custom providers, that is, external OAuth 2.0 authorization servers that F5 has not tested. Custom providers should comply with RFC 6749.

* Considerations for the Okta authorization server

The Okta default authorization server does not publish the access token signing key. Instead, you need to use a custom authorization server that will publish the access token signing key on the respective jwks_uri. You can identify a custom authorization server by looking at the issuer value.
For example, if the issuer is:
https://f5test1.oktapreview.com
then the issuer is the built-in OIDC authorization server, and the access token cannot be validated locally.
If the issuer is:
https://partnerpoc.oktapreview.com/oauth2/ausce8ii5wBzd0zvQ0h7
then you know that it is an API Access Management authorization server, and the tokens can be validated locally.

About APM support for OpenID Connect

OpenID Connect adds an identity layer on top of OAuth 2.0. When configured as an OAuth client / resource server, Access Policy Manager (APM) can interact with an OpenID Connect provider to get this data:
UserInfo requests
APM can make UserInfo requests to an endpoint that is specified for that purpose on an OAuth provider. APM supports UserInfo requests from the OAuth Scope and OAuth Client agents in an access policy or a per-request policy subroutine.
ID Token
As defined in the OpenID Connect core 1.0 spec, an ID Token contains claims by an authorization server about the authenticated user when using a client. APM obtains an ID Token from an OAuth provider when OpenID Connect is enabled in the OAuth Client agent in an access policy or a per-request policy. (The OAuth provider must support OpenID Connect.)

Grant types that APM supports as an OAuth client

When configured as an OAuth client, Access Policy Manager (APM®) supports authorization code and resource owner password credentials grant types.

About the OAuth client and resource server configuration

To configure Access Policy Manager (APM®) as an OAuth client and resource server, first you must create these objects: OAuth providers, OAuth servers, and OAuth requests. Then, you must configure APM policies with agents that reference the objects to get tokens, get permission for scopes, and retrieve scopes.

About OAuth providers

An OAuth provider configuration object specifies an external OAuth authorization server type and settings to support opaque access tokens, JSON web tokens, and ID Tokens and OpenID Connect UserInfo requests for those providers that support OpenID Connect.

About OAuth servers

An OAuth server specifies an OAuth provider and the OAuth role that Access Policy Manager (APM®) plays with that provider. It also specifies the IDs, secrets, and SSL certificates that APM requires to communicate with the OAuth provider.

About OAuth requests

In Access Policy Manager (APM®), the request object enables configuration of requests to meet the requirements of your OAuth providers. The object supports requests for scope permission, scope data, authorization redirect, tokens, and OpenID Connect UserInfo. It specifies the HTTP method, parameters, and headers to use for the specific type of request.

About OAuth Client

An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:
Server
Specifies the OAuth server to which this OAuth client directs requests.
Grant Type
Specifies the type of grant that the OAuth client uses.
  • Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
  • Password - The client uses resource owner password credentials to request an access token from the OAuth server.
OpenID Connect
Specifies whether the agent uses OpenID Connect for authorization. Displays when
Grant Type
is set to
Authorization code
.
To function correctly when enabled, the OAuth provider (associated with the selected
Server
) must be configured to support JSON web tokens.
OpenID Connect Flow Type
Specifies the OpenID Connect flow type to use:
Authorization code
or
Hybrid
.
OpenID Connect Hybrid Response Type
Specifies the response type to use for an OpenID Connect hybrid flow:
code-idtoken
,
code-token
, or
code-idtoken-token
.
Authentication Redirect Request
Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
Grant Type
is set to
Authorization code
.
Token Request
Specifies a token-request type of request.
Refresh Token Request
Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
OpenID Connect UserInfo Request
Specifies an openid-userinfo-request type of request. Displays when
OpenID Connect
is set to
Enabled
. JWT access tokens can be submitted for an OpenID Connect UserInfo request; however, issuing id_tokens alongside an opaque token is not supported.
Redirection URI
Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays when
Grant Type
is set to
Authorization code
.
Scope
Specifies one or more strings separated by spaces; for example
contacts photo email
. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.
For the
Authorization code
grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the
Password
grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.
Requests are configured in the
Access
Federation
OAuth Client / Resource Server
Requests
area of the product.

About OAuth Scope

The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes for opaque tokens. The OAuth Scope item provides these elements and options:
Token Validation Mode
  • Internal
    - In this mode, the agent validates JSON web tokens (JWT).
  • External
    - In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.
JWT Provider List
Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. For
Internal
mode.
Server
Specifies an OAuth server. OAuth servers in resource server, or client and resource server modes are available for selection. For
External
mode.
Scopes Request
Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. For
External
mode.
OpenID Connect UserInfo Request
Specifies an openid-userinfo-request type request where the client sends the request using either GET or POST. For
External
mode.
In
External
mode, you can add multiple scope data requests to the agent. Click
Add New Entry
and specify:
Scope Name
Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)
Request
Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.
You can configure requests here:
Access
Federation
OAuth Client / Resource Server
Requests
.

Overview: Configuring APM as an OAuth client and resource server

Register Access Policy Manager® (APM®) as a client to an external OAuth authorization server and get information from the external server about the scopes that it supports. Then configure the OAuth providers, servers, and requests to use from Access Policy Manager® (APM®) policies to interact with external OAuth authorization servers.

Task summary

Registering APM with a social media OAuth provider

For users to access resources that Access Policy Manager (APM) protects through social media accounts, you must add APM as a client application to an external server that provides OAuth authorization services.
Perform this step whether you plan to use APM in the OAuth client role, the OAuth resource server role, or in both the OAuth client and OAuth resource server roles.
  1. Create a developer account with the provider.
    Go to Google or Facebook developer sites or go to another OAuth provider site.
  2. Log in to your developer account and add APM as a client application.
    Part of configuring APM as a client application should be to supply the provider with a redirect URI. The OAuth server uses it to redirect users back to APM OAuth client after they complete authorization. Type a URI that includes the FQDN for the virtual server you will configure on the BIG-IP system plus
    /oauth/client/redirect
    .
    Here is an example redirect URI:
    https://siterequest.com/oauth/client/redirect
    .
  3. Copy the IDs and secrets from the configuration and keep them handy.
    To configure APM as an OAuth client, you need to provide a client ID and client secret when you configure an OAuth server in APM.
    To configure APM as an OAuth resource server, you need to provide a resource server ID and resource server secret when you configure an OAuth server in APM.
    Social media account providers supply only a client ID and client secret; you must use them for the client and resource server IDs and the client and resource server secrets in APM.

Registering APM with an enterprise OAuth provider

To register Access Policy Manager (APM) as a client application of an enterprise provider, you must consult the enterprise provider documentation. For example, if F5 provides OAuth authorization services on another BIG-IP system, you must register APM as a client or as a resource server on that BIG-IP system. F5 provides the necessary instructions in
BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration
on the AskF5 web site located at
support.f5.com
.
For users to access resources that Access Policy Manager (APM) protects through enterprise accounts, you must add APM as a client application to an external server that provides OAuth authorization services.
Perform this step whether you plan to use APM in the OAuth client role, the OAuth resource server role, or in both the OAuth client and OAuth resource server roles.
  1. Add APM as a client application of the enterprise OAuth authorization server following instructions from the enterprise provider.
    Part of configuring APM as a client application should be to supply the provider with a redirect URI. The OAuth server uses it to redirect users back to APM OAuth client after they complete authorization. Type a URI that includes the FQDN for the virtual server you will configure on the BIG-IP system plus
    /oauth/client/redirect
    .
    Here is an example redirect URI:
    https://siterequest.com/oauth/client/redirect
    .
  2. Copy the IDs and secrets from the configuration and keep them handy.
    To configure APM as an OAuth client, you need to provide a client ID and client secret when you configure an OAuth server in APM.
    To configure APM as an OAuth resource server, you need to provide a resource server ID and resource server secret when you configure an OAuth server in APM.

Configuring OAuth providers to auto-discover JWTs and JWKs

You can configure an OAuth provider to enable APM to obtain opaque tokens or JSON web tokens (JWTs) from an OAuth authorization server that supports them. You can automatically add JWT settings to Access Policy Manager (APM) if your OAuth provider supports OpenID Connect discovery.
OAuth Discover uses the global system DNS (not DNS resolvers) so you need to have configured a DNS remote lookup server using
System
Configuration
Device
DNS
to use discovery.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    Provider
    .
    The Provider screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name for the object.
  4. From
    Type
    , select a type.
    You can configure auto-discovery for any provider type except Facebook.
    The fields that display and default values might change based on your choice.
  5. For
    Ignore Expired Certificate Validation
    , select the check box if you want to ignore enforcement for an expired authorization server certificate.
    For this to work as intended, the OAuth authorization server must include an X5C (X.509 Certificate Chain) parameter in its JWK endpoint response.
  6. Select
    Allow Self-Signed JWK Config Certificate
    to allow APM to create a JWK with a self-signed certificate if one is discovered on the provider.
  7. Keep
    Use Auto JWT
    selected to use auto-discovery.
  8. In
    OpenID URI
    , type a string that appends
    .well-known/openid-configuration
    to the URL of the issuer, and click
    Discover
    .
    This only works if you have configured a system DNS server using
    System
    Configuration
    Device
    DNS
    .
    Discovery updates the URIs in the remaining fields on the screen.
  9. In the
    Authentication URI
    field, type the URI to use to request authentication from the provider to get an authorization code.
  10. In the
    Token URI
    field, type the URI to use to retrieve an access token from the provider.
  11. If any of the URIs contains a fragment or the
    #
    character, remove it before you save the configuration.
  12. From the
    Frequency
    list, select
    None
    or the frequency to perform auto-discovery.
  13. Click
    Save
    .

Configuring JWKs for OAuth clients / resource servers

When Access Policy Manager (APM) is configured to act as an OAuth client or resource server, it uses JSON web keys (JWKs) to validate the JSON web tokens it receives. You can use APM to auto-discover JWKs from OAuth providers that support it. Otherwise, you can configure JWKs using this procedure.
  1. On the Main tab, select
    Access
    Federation
    JSON Web Token
    Key Configuration
    .
    The Key Configuration screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name.
  4. In
    ID
    , type an ID.
    This parameter is used to identity a specific JSON web key.
  5. For
    Type
    , select
    RSA
    ,
    Octet
    , or
    Elliptic Curve
    .
    Additional parameters display for the type that you select.
  6. For
    Signing Algorithm
    , select any one.
  7. For the
    Octet
    type, you only need to configure one additional setting:
    1. In
      Shared Secret
      , type a secret.
      To maximize the security of the algorithm, type enough characters so that the resulting key size matches the block size for the signing algorithm: for
      HS256
      , 32 characters; for
      HS384
      , 48 characters; for
      HS512
      , 64 characters.
    2. Click
      Save
      .
      The newly created JWK displays on the list.
  8. To support an
    RSA
    or an
    Elliptic Curve
    key type, you must either configure settings in the Certificates area or in the Parameters area. To get the necessary parameters from a certificate, go to the Certificates area and configure these settings:
    1. For
      Certificate File
      , select a certificate.
      When the BIG-IP system is on a chassis platform or is included in an HA pair, do not select the default certificate. F5 strongly discourages the use of the default certificate in a JWK in any configuration.
      The
      Include X5C
      ,
      Certificate Key
      , and
      Key Passphrase
      settings apply only for a JWK for use with APM as an OAuth authorization server.
    2. For
      Certificate Chain
      , select one.
    3. Click
      Save
      .
      The newly created JWK displays on the list.
  9. For the
    RSA
    type, in the absence of a certificate, go to the Parameters area and complete these substeps:
    1. For
      Modulus
      , type the modulus of the RSA public key.
    2. For
      Public Exponent
      , type the public exponent of the RSA public key.
    3. Supply values for the
      SHA-1 Thumbprint
      , and
      SHA-256 Thumbprint
      fields.
    4. Click
      Save
      .
      The newly created JWK displays on the list.
  10. For the
    Elliptic Curve
    type, in the absence of a certificate, go to the Parameters area and complete these substeps:
    1. For
      X Coordinate
      , type an X coordinate for the elliptic curve.
    2. For
      Y Coordinate
      , type an Y coordinate for the elliptic curve.
    3. For
      Curve
      , specify an elliptic curve.
      For example, type
      P-256
      .
    4. Supply values for the
      SHA-1 Thumbprint
      , and
      SHA-256 Thumbprint
      fields.
    5. Click
      Save
      .
      The newly created JWK displays on the list.

Specifying token configurations for JSON web tokens

If you're configuring Access Policy Manager (APM) as an OAuth Client or OAuth Resource Server and your external OAuth provider supports OpenID Connect, you can auto-discover the token configuration from the provider instead of using this procedure to configure it. Before you use this procedure, configure JSON web key settings in APM.
You create token configurations for APM to use as an OAuth client/resource server.
  1. On the Main tab, select
    Access
    Federation
    JSON Web Token
    Token Configuration
    .
    The Token Configuration screen opens.
  2. Open the properties for a token configuration:
    • To edit an existing token configuration, click its name.
    • To add a new token configuration, click
      Create
      , then on the screen that opens, type a name.
  3. In
    Issuer
    field, type the URL of the token issuer, starting with
    https
    .
    You cannot modify the issuer if this JWT was auto-discovered.
  4. To use the value of
    Access Token Expires In
    from the provider list, retain the selection of the
    Use Provider List Settings
    check box. Otherwise, clear the check box and type the number of minutes the access token should live in the
    Access Token Expires In
    field.
  5. For
    Audience
    , add all audiences that the provider supports. For each one, type a case-sensitive string and click
    Add
    Audience settings apply to the access token and not to the ID token.
    Interpretation of audience is application-specific.
  6. In the Signing Algorithms area, select from the
    Available
    list and populate the
    Allowed
    and
    Blocked
    lists.
  7. In the Keys (JWK) area, select from the
    Available
    list and populate the
    Allowed
    and
    Blocked
    lists.
  8. In the Access Tokens area, for
    Blacklist
    , to reject a valid JWT access token that contains one of the configured claim names paired with one of the configured claim values, add names and values:
    1. In the Access Tokens area click (
      +
      ).
    2. In the
      Name
      field, type a claim name.
    3. In the
      Values
      field, type a claim value to be blacklisted for that claim and click
      Add
      . (Repeat this step if necessary.)
  9. Click
    Save
    .
    The new token displays on the Token Configuration list.

Configuring OAuth providers without auto-discovery

If you want to use JSON web tokens (JWTs) and the OAuth provider supports them, then configure JWTs in Access Policy Manager (APM) before you start this task.
You specify the URIs on an external server where APM gets OAuth authorization services when configured as an OAuth client and resource server.
APM provides preconfigured providers named
AzureAD
(Azure Active Directory from Microsoft),
F5
(APM),
Facebook
,
Google
,
Okta
, and
Ping
(PingFederate from Ping Identity).
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    Provider
    .
    The Provider screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name for the object.
  4. From the
    Type
    field, select a predefined type of provider, or select
    Custom
    .
    Based on the type that you select, the fields that display might change
    If you select a predefined type, additional fields fill with default values where possible.
  5. If the
    Use Auto-discovered JWT
    setting displays, clear the check box.
    The
    Token Configuration (JWT)
    field displays and is set to
    None
    .
  6. If these fields display and you want to support JWTs, configure them as follows:
    1. For
      Token Configuration (JWT)
      , select a configuration from the list.
    2. To specify that the OAuth provider ignore the certificate expiry check during token verification for a resource server, enable the
      Ignore Expired Certificate Validation
      check box.
      For this to work as intended, the OAuth authorization server must include an X5C (X.509 Certificate Chain) parameter in its JWKS endpoint response.
  7. In the
    Authentication URI
    field, type the URI on the provider where APM should redirect the user for authentication.
  8. In the
    Token URI
    field, type the URI on the provider where APM can get a token.
  9. In the
    Token Validation Scope URI
    field, type the URI on the provider where APM can get information about a specific token.
  10. If the provider supports OpenID Connect and you want to request identity information about a subject, for
    UserInfo Request URI
    type the URI at which to make the request.
  11. Click
    Finished
    .
    The new provider displays on the Provider screen.

About OAuth client and resource server roles for APM

A
Mode
setting in the OAuth server configuration specifies the OAuth roles that you intend Access Policy Manager (APM®) to play: OAuth client, OAuth resource server, or OAuth client and resource server. You can configure OAuth servers for each or any of the modes on one BIG-IP system.

About SSL administration for OAuth clients and resource servers

You might need to perform some SSL administration tasks to support communication between Access Policy Manager (APM®) as an OAuth client and an OAuth resource server, and external OAuth authorization servers. OAuth server objects on APM require a server SSL profile for an OAuth client and for an OAuth resource server.
SSL certificates are configured in the
System
Certificate Management
Traffic Certificate Management
area of the product.
Server SSL profiles are configured in the
Local Traffic
Profiles
SSL
Server
area of the product.
For more information, refer to
BIG-IP System: SSL Administration
on the AskF5 web site located at
support.f5.com
.

Configuring OAuth servers for APM as client and resource server

You configure the OAuth servers that process requests from Access Policy Manager (APM).
For APM to play the role of an OAuth client and an OAuth resource server, configure OAuth servers with
Mode
set to
Client + Resource Server
.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    OAuth Server
    .
    The OAuth Server screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name for the object.
  4. From the
    Mode
    list, select
    Client + Resource Server
    .
    APM can use this OAuth server to request access tokens and scope details, such as an email address for the user.
    The Client Settings and Resource Server Settings areas display.
  5. From the
    Type
    list, to get OAuth authorization services from another BIG-IP system, retain the default selection
    F5
    ; otherwise select another type.
    If any providers of the selected type exist, the
    OAuth Provider
    field displays one.
  6. From the
    OAuth Provider
    list, retain the default selection or select another provider.
  7. From the
    DNS Resolver
    list, select a DNS resolver (or click the plus (
    +
    ) icon, create a DNS resolver, and then select it).
  8. In the
    Token Validation Interval
    field, type a number.
    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.
  9. In the Client Settings area, fill in these fields:
    You should have gotten a client ID and client secret when you registered APM as a client of the OAuth authorization server.
    1. In the
      Client ID
      field, type or paste the client ID.
    2. In the
      Client Secret
      field, type or paste the secret.
    3. From the
      Client's ServerSSL Profile Name
      , select a server SSL profile.
  10. In the Resource Server Settings area, fill in these fields.
    You should have gotten an ID and secret from the OAuth authorization server when you registered APM with it.
    Social account providers supply only client ID and client secret. For social account providers, use the client ID and client secret for the client and the resource server IDs and secrets.
    1. In the
      Resource Server ID
      field, type or paste the resource server ID (for an enterprise provider).
      For a social provider, type or paste the client ID instead.
    2. In the
      Resource Server Secret
      field, type or paste the resource server secret (for an enterprise provider).
      For a social provider, type or paste the client secret instead.
    3. From the
      Resource Server's ServerSSL Profile Name
      , select a server SSL profile.
  11. Click
    Finished
    .
    The server displays on the OAuth Servers screen.
The OAuth servers that you have configured are available for selection from the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy.

Configuring OAuth servers for APM as a client

You configure the OAuth servers that process requests from Access Policy Manager (APM).
For APM to play the role of an OAuth client only, configure OAuth servers with
Mode
set to
Client
.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    OAuth Server
    .
    The OAuth Server screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name for the object.
  4. From the
    Mode
    list, select
    Client
    .
    In this mode, APM can request access tokens from this OAuth server; APM can also refresh an existing access token when expired on a per-request basis.
    The Client Settings area displays.
  5. From the
    Type
    list, to get OAuth authorization services from another BIG-IP system, retain the default selection
    F5
    ; otherwise select another type.
    If any providers of the selected type exist, the
    OAuth Provider
    field displays one.
  6. From the
    OAuth Provider
    list, retain the default selection or select another provider.
  7. From the
    DNS Resolver
    list, select a DNS resolver (or click the plus (
    +
    ) icon, create a DNS resolver, and then select it).
  8. If you have iRules to use, in the
    iRules
    setting move them to the
    Selected
    list.
    For detailed information on iRules, see the F5 Networks DevCentral web site,
    devcentral.f5.com
    .
  9. In the
    Token Validation Interval
    field, type a number.
    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.
  10. In the Client Settings area, fill in these fields:
    You should have gotten a client ID and client secret when you registered APM as a client of the OAuth authorization server.
    1. In the
      Client ID
      field, type or paste the client ID.
    2. In the
      Client Secret
      field, type or paste the secret.
    3. From the
      Client's ServerSSL Profile Name
      , select a server SSL profile.
  11. Click
    Finished
    .
    The server displays on the OAuth Servers screen.
The OAuth servers that you have configured are available for selection from the OAuth Client agent when you configure an access policy or a per-request policy.

Configuring OAuth servers for APM as a resource server

You configure the OAuth servers that process requests from Access Policy Manager (APM).
For APM to play the role of an OAuth resource server only, configure OAuth servers with
Mode
set to
Resource Server
.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    OAuth Server
    .
    The OAuth Server screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name for the object.
  4. From the
    Mode
    list, select
    Resource Server
    .
    APM can use this OAuth server to request a list of scopes associated with the access token , request details for a particular scope, such as an email address for the user, or to make both types of requests.
    The Resource Server Settings area displays.
  5. From the
    Type
    list, to get OAuth authorization services from another BIG-IP system, retain the default selection
    F5
    ; otherwise select another type.
    If any providers of the selected type exist, the
    OAuth Provider
    field displays one.
  6. From the
    OAuth Provider
    list, retain the default selection or select another provider.
  7. From the
    DNS Resolver
    list, select a DNS resolver (or click the plus (
    +
    ) icon, create a DNS resolver, and then select it).
  8. If you have iRules to use, in the
    iRules
    setting move them to the
    Selected
    list.
    For detailed information on iRules, see the F5 Networks DevCentral web site,
    devcentral.f5.com
    .
  9. In the
    Token Validation Interval
    field, type a number.
    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.
  10. In the Resource Server Settings area, fill in these fields.
    You should have gotten an ID and secret from the OAuth authorization server when you registered APM with it.
    Social account providers supply only client ID and client secret. For social account providers, use the client ID and client secret for the client and the resource server IDs and secrets.
    1. In the
      Resource Server ID
      field, type or paste the resource server ID (for an enterprise provider).
      For a social provider, type or paste the client ID instead.
    2. In the
      Resource Server Secret
      field, type or paste the resource server secret (for an enterprise provider).
      For a social provider, type or paste the client secret instead.
    3. From the
      Resource Server's ServerSSL Profile Name
      , select a server SSL profile.
  11. Click
    Finished
    .
    The server displays on the OAuth Servers screen.
The OAuth servers that you have configured are available for selection from the OAuth Scope agent when you configure an access policy or a per-request policy.

Configuring requests for preconfigured providers

Configure requests for token validation, getting scopes and scope details, authorization redirect, access token, or refresh token to meet the specifications of the provider.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    Request
    .
    APM supplies several preconfigured requests for these providers: AzureAD (Azure Active Directory), F5 (APM), Facebook, Google, Okta, and Ping (PingFederate from Ping Identity).
  2. To copy a request:
    You cannot delete or update preconfigured requests. However, you can copy preconfigured requests and edit the copies. You can also create new requests.
    1. In the Copy column of the request, click the
      Copy
      link.
    2. In the
      New Request Name
      field, type a name.
    3. Click
      Copy
      .
      The Properties screen for the new request displays.
  3. For the
    HTTP Method
    and
    Type
    settings, retain the existing values or select new ones.
  4. To edit existing request parameters:
    1. From
      Request Parameters
      , select an entry and click
      Edit
      .
      The entry populates the
      Parameter Type
      and
      Parameter Name
      fields, and, for a
      custom
      parameter type, the
      Parameter Value
      field.
    2. Edit the Request Parameters as needed.
      Do not configure a
      CODE
      ,
      REFRESH_TOKEN
      , or
      STATE
      parameter. APM adds these parameters automatically when needed.
    3. Click
      Add
      .
      The edited request parameters display in the list.
  5. Add or delete any request parameters as needed.
  6. If you need to add a request header:
    1. In the
      Header Name
      field, type a name.
    2. In the
      Header Value
      field, type a value.
    3. Click
      Add
      .
    The entry displays in the
    Request Headers
    field.
  7. Click
    Update
    .
If using Okta preconfigured requests, Okta provides a refresh token only when
offline_access
is requested. Therefore,
offline_access
is used as the scope in default requests.
If you need to make the user consent prompt visible, you must create a new request that does not specify
offline_access
as the scope. In addition, in the Okta setup, make sure that you have the API Access Management and User Consent features enabled. When both features are enabled, clients see a user consent prompt when connecting to their resources. Refer to Okta documentation for how to add user consent dialogs to the authentication flow.
Requests are available for selection in the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy subroutine.

Configuring requests for custom providers

To perform this task, you need to understand the request parameters, request values, request headers, and HTTP method that the external OAuth authorization server supports for the type of request you plan to specify.
You configure a request for token validation, getting scopes and scope details, authorization redirect, access token, or refresh token that meets the specifications of the custom provider.
APM provides preconfigured providers, AzureAD (Azure Active Directory), F5 (APM), Facebook, Google, Okta, and Ping (PingFederate from Ping Identity), and supports configuration of custom providers.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    Requests
    .
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name.
  4. For
    HTTP Method
    , retain
    POST
    or select
    GET
    .
  5. From the
    Type
    list, select a request type.
  6. If you selected the
    scope-data-request
    type, type a URI in the
    URI
    field.
  7. Specify request parameters:
    1. From
      Parameter Type
      , select an option.
      If you select
      custom
      , the
      Parameter Value
      field displays.
    2. In the
      Parameter Name
      field, type a name as specified by your provider.
      Do not configure a
      CODE
      ,
      REFRESH_TOKEN
      , or
      STATE
      parameter. APM adds these parameters automatically when needed.
    3. In the
      Parameter Value
      field, type a value.
    4. Click
      Add
      .
      The entry displays in the
      Request Parameters
      field.
  8. Add request headers if needed:
    1. In the
      Header Name
      field, type a name.
    2. In the
      Header Value
      field, type a value.
    3. Click
      Add
      .
    The entry displays in the
    Request Headers
    field.
  9. Click
    Finished
    .
The request displays in the list on the screen.
Requests are available for selection in the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy subroutine.

Configuring UserInfo requests for OpenID Connect

To perform this task, you need to understand the request parameters, request values, request headers, and HTTP method that the external OAuth authorization server supports for an OpenID Connect UserInfo request.
Access Policy Manager (APM) provides preconfigured requests for acquiring UserInfo through OpenID Connect for the Ping (PingFederate from Ping Identity), Okta, and Google OAuth provider types. To get UserInfo from custom providers that support OpenID Connect, you create requests that meet the specifications of the custom provider.
  1. On the Main tab, click
    Access
    Federation
    OAuth Client / Resource Server
    Request
    .
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name.
  4. For
    HTTP Method
    , retain
    POST
    or select
    GET
    .
  5. From the
    Type
    list, select
    openid-userinfo-request
    .
  6. Specify the options in the
    Request Parameters
    setting:
    1. From
      Parameter Type
      , select an option.
      If you select
      custom
      , the
      Parameter Value
      field displays.
    2. In the
      Parameter Name
      field, type a name as specified by your provider.
      Do not configure a
      CODE
      ,
      REFRESH_TOKEN
      , or
      STATE
      parameter. APM adds these parameters automatically when needed.
    3. In the
      Parameter Value
      field, type a value.
    4. Click
      Add
      .
      The entry displays in the
      Request Parameters
      field.
  7. Add
    Request Headers
    if needed:
    1. In the
      Header Name
      field, type a name.
    2. In the
      Header Value
      field, type a value.
    3. Click
      Add
      .
    The entry displays in the
    Request Headers
    field.
  8. Click
    Finished
    .
Requests are available for selection in the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy subroutine.

Configuring a provider list

Access Policy Manager (APM) provides a number of preconfigured OAuth providers. To add custom OAuth providers to a provider list, first configure them in the
Access
Federation
OAuth Client / Resource Server
Provider
area.
You configure a provider list for use with APM configured as an OAuth resource server. A
provider list
enables a single OAuth Scope agent in an access policy to validate tokens issued by multiple OAuth providers.
  1. On the Main tab, select
    Access
    Federation
    JSON Web Token
    Provider List
    .
  2. Click
    Create
    .
  3. In
    Name
    , type a name for the configuration.
  4. In
    Access Token Expires In
    , type the number of minutes that access token should live.
  5. From the
    Provider
    list, select a provider and click
    Add
    . Repeat this step to add additional providers to the list.

OAuth request type reference

The table lists OAuth request types, and specifies the agents that use them and the policies where they are used.
Request type
Description
Agents and policies where used
auth-redirect-request
Redirects a user to an authorization server.
An OAuth Client agent uses this request at the start of a session (from the access policy) and can also use it from a per-request policy subroutine. This request is applicable when the OAuth Client is configured with the authorization code grant. This request can only use the GET parameter.
token-request
Accesses an authorization server to obtain an access token or exchange an authorization code for an access token.
An OAuth Client agent uses this request at the start of a session (from the access policy) and can also use it from a per-request policy subroutine.
token-refresh-request
Refreshes an expired access token.
An OAuth Client agent can make token refresh requests from a per-request policy subroutine.
validation-scopes-request
Accesses an authorization server to get a list of scopes associated with an access token and to get scope data for those scopes.
An OAuth Scope agent uses this request at the start of a session (from the access policy) and can also use it from a per-request policy subroutine. The preconfigured
F5ScopesRequest
request is designed for use when APM is the OAuth server.
scope-data-request
Accesses an authorization server to get scope data.
An OAuth Scope agent can use this request type from an access policy and can also use it from a per-request policy subroutine.
openid-userinfo-request
Accesses a well-known endpoint for OpenID Connect to get UserInfo
An OAuth Scope and OAuth Client agent can use this request to get information.

Implementation result

The OAuth provider, server, and request objects are ready for use in OAuth Client and OAuth Scope agents in access policies and per-request policy subroutines.

Overview: Configuring policies for OAuth client and resource server

When Access Policy Manager® (APM®) acts as an OAuth client, an OAuth Client policy item can obtain an access token (and a refresh token if configured to do so) at the start of a session through the access policy. The OAuth client can also make OpenID Connect UserInfo requests following one of the OpenID Connect-defined flows (Authorization code flow or hybrid flow).
Throughout the session, an OAuth Client policy item can run periodically from a per-request policy subroutine to make OpenID Connect UserInfo requests, and, when the token expires, make an attempt to refresh the access token (if a refresh token exists) or authenticate the user anew.
When APM acts as an OAuth resource server, an OAuth Scope policy item can be used to validate a token and make scope data and UserInfo requests from the access policy and, periodically, from a per-request policy subroutine.

Task summary

Sample policy: Get an access token once per session

To obtain an access token one time only for the session, you need to configure an access policy. The OAuth Client agent can request a token.
With this access policy, the user logs on through a BIG-IP system. The OAuth Client agent obtains an access token, and an OAuth Scope agent tries to retrieve the list of scopes associated with the token from the OAuth provider. The session starts. When the token expires, the system makes no attempt to refresh it.

Sample policies: Get a token and validate it for each request

To obtain an access token and to validate it for each request, first you need an access policy to obtain the token.
Access policy for APM as an OAuth client and resource server
To periodically validate and refresh the token, you need a per-request policy subroutine.
Per-request policy runs for each request but subroutine runs at an interval

Sample policy: Validate tokens per-request

When Access Policy Manager (APM) acts as an OAuth resource server, an OAuth Scope agent validates tokens obtained from the incoming request.
Per-request policy runs for each request, while subroutine runs only at an interval

Creating an access profile for OAuth client and resource server

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select one these options:
    • LTM-APM
      : Select for a web access management configuration.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Configuring an OAuth Client agent in an access policy

Before you start, you need an OAuth server configured in Access Policy Manager (APM) that supports clients (
Mode
is set to
Client
or
Client + Resource Server
) .
You add an OAuth Client agent to an access policy to request authorization from an OAuth server for one or more scopes. You can add more than one OAuth Client item to an access policy, with each item requesting permission for additional scopes.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the
    Authentication
    tab, select
    OAuth Client
    .
  5. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  6. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  7. From the
    Server
    list, select an OAuth server.
    Only OAuth servers configured with
    Mode
    set to
    Client
    or
    Client + Resource Server
    display.
  8. From the
    Grant Type
    list, select one of these options:
    • Authorization code
      - Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
    • Password
      - Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen you must insert a logon page before the OAuth Client item in the access or the per-request policy.
    If you select
    Authorization code
    , the
    Redirection URI
    field displays.
  9. To enable OpenID Connect in the agent, perform these substeps:
    1. For
      OpenID Connect
      , select
      Enabled
      .
      Additional fields display.
    2. For
      OpenID Connect Flow Type
      , retain
      Authorization code
      or select
      Hybrid
      and then select an entry for
      OpenID Connect Hybrid Response Type
      .
    3. For
      OpenID Connect UserInfo Request
      , select a request.
  10. Select the requests to make to the OAuth server from the access policy.
    • Authentication Redirect Request
      - Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
      Grant Type
      is set to
      Authorization code
      .
    • Token Request
      - Specifies a token-request type of request.
    You can make a selection from the
    Refresh Token Request
    list, but the OAuth Client does not use this request from an access policy.
    Requests are configured in the
    Access
    Federation
    OAuth Client / Resource Server
    Requests
    area of the product.
  11. If the
    Redirection URI
    field displays, retain the default value (
    https://%{session.server.network.name}/oauth/client/redirect
    ) or type a URI that points back to the APM client.
    If you type a URI, you must retain this path
    /oauth/client/redirect
    . Only change the host name portion of the URI.
    The OAuth server uses the URI to send the user back to APM.
  12. In the
    Scope
    field, type one or more scopes separated by spaces.
    Each time you add another OAuth Client agent to a policy, you must include the scopes (for example,
    email photos
    ) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example,
    email photos contacts
    ).
    Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
  13. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  14. If you selected
    Password
    from the
    Grant Type
    list, you must insert a logon page agent to precede the OAuth Client agent.
    1. Click (
      +
      ) ahead of the
      OAuth Client
      on the policy branch.
    2. On the Logon Page tab, select
      OAuth Logon Page
      and click
      Add Item
      .
      A Properties screen displays.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  15. Complete the policy:
    1. Add any branch rules that you need.
      By default, the
      OAuth Client
      item has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
    2. Change branch endings as needed; change
      Deny
      to
      Allow
      where you want to provide access.
  16. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.

Configuring OAuth Scope for opaque tokens in an access policy

Before you start, you need an OAuth server that supports resource servers (
Mode
is set to
Resource
or
Client + Resource Server
) configured in Access Policy Manager (APM).
You add an
OAuth Scope
item to a policy either to request the list of scopes associated with an opaque token or to request scope data from the OAuth server.
If the access policy already includes an
OAuth Client
item, place the
OAuth Scope
agent somewhere after the
OAuth Client
on the policy branch.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the
    Authentication
    tab, select
    OAuth Scope
    .
  5. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  6. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  7. From
    Token Validation Mode
    , retain the default setting,
    External
    .
    This mode allows the OAuth Scope agent to make scope requests and OpenID Connect UserInfo requests.
  8. From the
    Server
    list, select an OAuth server.
    Only OAuth servers configured with
    Mode
    set to
    Resource Server
    or
    Client + Resource Server
    display.
  9. To get a list of scopes associated with an access token, from the
    Scopes Request
    list, select a request to send to the OAuth provider.
    The list displays validation-scopes-request types.
    If F5 (APM) is the OAuth provider, select
    F5ScopesRequest
    .
    Requests are configured in the
    Federation
    OAuth Client / Resource Server
    Requests
    area of the product.
  10. To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
    1. Click
      Add new entry
      .
      A new line is added to the list of entries.
    2. In the
      Scope Name
      field, type the name of a scope that the OAuth provider supports.
      The scope must be associated with the access token. (The user must have granted permission for this scope.)
      For example, some OAuth providers support scopes named
      email
      or
      profile
      .
    3. From the
      Request
      list, select a request.
      The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
  11. To include a UserInfo request, select one from the
    OpenID Connect UserInfo Request
    list.
  12. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  13. Complete the policy:
    1. Add any additional policy items you require.
    2. Change the ending from
      Deny
      to
      Allow
      on any access policy branch on which you want to grant access.
  14. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.

Configuring OAuth Scope for JWTs in an access policy

Before you start, you need to have configured a JSON web token (JWT) provider list. You can configure it in the
Access
Federation
JSON Web Token
Provider List
area of the product.
You can add an
OAuth Scope
item to a policy to process JSON web tokens (JWTs) from multiple providers.
If the access policy already includes an
OAuth Client
item, place the
OAuth Scope
agent somewhere after the
OAuth Client
on the policy branch.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the
    Authentication
    tab, select
    OAuth Scope
    .
  5. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  6. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  7. From
    Token Validation Mode
    , select
    Internal
    .
    This mode allows the OAuth Scope agent to process JSON web tokens from multiple providers.
    The
    JWT Provider List
    field displays.
  8. From
    JWT Provider List
    , select a list.
    Provider lists are configured in the
    Access
    Federation
    JSON Web Token
    Provider List
    area of the product.
  9. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  10. Complete the policy:
    1. Add any additional policy items you require.
    2. Change the ending from
      Deny
      to
      Allow
      on any access policy branch on which you want to grant access.

What causes a subroutine to run for an OAuth server?

A
per-request policy
runs at each request. A
per-request policy subroutine
runs periodically at whichever of these intervals is shorter: the number of minutes specified in the OAuth server
Token Validation Interval
field on Access Policy Manager (APM®), or the interval that the external OAuth authentication server specifies in the
expires_in
attribute of the access token it issues.

Configuring an OAuth Client agent in a subroutine

Before you start, you need an OAuth server configured in Access Policy Manager (APM) that supports clients (
Mode
is set to
Client
or
Client + Resource Server
) .
You configure a per-request policy subroutine to periodically validate an OAuth token, to obtain a new or a refresh token, to get scopes and scope data.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. In the
    Name
    field, locate the policy that you want to update, then in the
    Per-Request Policy
    field, click the
    Edit
    link.
    The visual policy editor opens in another tab.
  3. Click the
    Add New Subroutine
    button.
    A popup screen opens.
  4. On the
    Select Subroutine template
    list, retain the selection
    Empty
    , and click
    Save
    .
    The popup screen closes. The subroutine, with the heading
    [+] Subroutine:
    Name
    , displays below the main editor.
  5. Expand the subroutine by clicking the [
    +
    ] icon.
    The subroutine displays.
  6. Click the
    (+)
    icon anywhere in the subroutine to add a new item.
    A small set of actions are provided for building a subroutine.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. On the
    Authentication
    tab, select
    OAuth Client
    .
  8. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  9. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  10. From the
    Server
    list, select an OAuth server.
    Only OAuth servers configured with
    Mode
    set to
    Client
    or
    Client + Resource Server
    display.
  11. From the
    Grant Type
    list, select one of these:
    • Authorization code
      - Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
    • Password
      - Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen, you must insert a logon page before the OAuth Client item in the access or the per-request policy.
      If you select the password grant type, every time the per-request policy subroutine runs, it must request credentials from the user.
  12. To add an OpenID Connect UserInfo request to the policy, perform these steps:
    1. For
      OpenID Connect
      , select
      Enabled
      .
      Additional fields display.
    2. For
      OpenID Connect Flow Type
      , retain
      Authorization code
      or, select
      Hybrid
      and then select an entry for
      OpenID Connect Hybrid Response Type
      .
    3. For
      OpenID Connect UserInfo Request
      , select a request.
  13. Select requests for the per-request policy to make to the OAuth server.
    • Authentication Redirect Request
      - Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
      Grant Type
      is set to
      Authorization code
      .
    • Token Request
      - Specifies a token-request type of request.
    • Refresh Token Request
      - Specifies a token-refresh-request type of request.
    Requests are configured in the
    Access
    Federation
    OAuth Client / Resource Server
    Requests
    area of the product.
  14. If the
    Redirection URI
    field displays, retain the default value (
    https://%{session.server.network.name}/oauth/client/redirect
    ) or type a URI that points back to the APM client.
    If you type a URI, you must retain this path
    /oauth/client/redirect
    . Only change the host name portion of the URI.
    The OAuth server uses the URI to send the user back to APM.
  15. In the
    Scope
    field, type one or more scopes separated by spaces.
    Each time you add another OAuth Client agent to a policy, you must include the scopes (for example,
    email photos
    ) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example,
    email photos contacts
    ).
    Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
  16. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  17. If you selected
    Password
    from the
    Grant Type
    list, you must insert a logon page agent to precede the OAuth Client agent.
    1. Click (
      +
      ) ahead of the
      OAuth Client
      on the policy branch.
    2. On the Logon Page tab, select
      OAuth Logon Page
      and click
      Add Item
      .
      A Properties screen displays.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  18. Complete the policy:
    1. Add any branch rules that you need.
      By default, the
      OAuth Client
      item has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
    2. Change branch endings as needed; change
      Deny
      to
      Allow
      where you want to provide access.
  19. Add the subroutine to the per-request policy:
    1. On a per-request policy branch, click the (
      +
      ) icon.
    2. Select the Subroutines tab.
    3. Select the subroutine and click
      Add Item
      .
      The popup screen closes and the policy displays.
  20. To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
    1. Click
      Subroutine Settings/Rename
      .
    2. To rename the subroutine, type in the
      Name
      field.
    3. To update the timeout, type a number in the
      Subroutine Timeout (sec)
      field.
      No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
    4. Click
      Save
      .
      The popup screen closes. The subroutine displays in the policy.
To affect network traffic, along with an access policy, a per-request policy must be specified on a virtual server.

Configuring OAuth Scope for opaque tokens in a subroutine

Before you start, you need an OAuth server that supports resource servers (
Mode
is set to
Resource
or
Client + Resource Server
) configured in Access Policy Manager (APM).
To periodically get scopes and scope data for an existing access token, you configure an OAuth Scope agent in a per-request policy subroutine.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. In the
    Name
    field, locate the policy that you want to update, then in the
    Per-Request Policy
    field, click the
    Edit
    link.
    The visual policy editor opens in another tab.
  3. Click the
    Add New Subroutine
    button.
    A popup screen opens.
  4. On the
    Select Subroutine template
    list, retain the selection
    Empty
    , and click
    Save
    .
    The popup screen closes. The subroutine, with the heading
    [+] Subroutine:
    Name
    , displays below the main editor.
  5. Expand the subroutine by clicking the [
    +
    ] icon.
    The subroutine displays.
  6. Click the
    (+)
    icon anywhere in the subroutine to add a new item.
    A small set of actions are provided for building a subroutine.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. On the
    Authentication
    tab, select
    OAuth Scope
    .
  8. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  9. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  10. From
    Token Validation Mode
    , retain the default setting,
    External
    .
    This mode allows the OAuth Scope agent to make scope requests and OpenID Connect UserInfo requests.
  11. From the
    Server
    list, select an OAuth server.
    Only OAuth servers configured with
    Mode
    set to
    Resource Server
    or
    Client + Resource Server
    display.
  12. To get a list of scopes associated with an access token, from the
    Scopes Request
    list, select a request to send to the OAuth provider.
    The list displays validation-scopes-request types.
    If F5 (APM) is the OAuth provider, select
    F5ScopesRequest
    .
    Requests are configured in the
    Federation
    OAuth Client / Resource Server
    Requests
    area of the product.
  13. To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
    1. Click
      Add new entry
      .
      A new line is added to the list of entries.
    2. In the
      Scope Name
      field, type the name of a scope that the OAuth provider supports.
      The scope must be associated with the access token. (The user must have granted permission for this scope.)
      For example, some OAuth providers support scopes named
      email
      or
      profile
      .
    3. From the
      Request
      list, select a request.
      The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
  14. To include a UserInfo request, select one from the
    OpenID Connect UserInfo Request
    list.
  15. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  16. Add the subroutine to the per-request policy:
    1. On a per-request policy branch, click the (
      +
      ) icon.
    2. Select the Subroutines tab.
    3. Select the subroutine and click
      Add Item
      .
      The popup screen closes and the policy displays.
  17. To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
    1. Click
      Subroutine Settings/Rename
      .
    2. To rename the subroutine, type in the
      Name
      field.
    3. To update the timeout, type a number in the
      Subroutine Timeout (sec)
      field.
      No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
    4. Click
      Save
      .
      The popup screen closes. The subroutine displays in the policy.
To affect network traffic, along with an access policy, a per-request policy must be specified on a virtual server.

Configuring an OAuth Scope agent for JWTs in a subroutine

Before you start this task, you need to have configured a JSON web token (JWT) provider list. Provider lists are configured in the
Access
Federation
JSON Web Token
Provider List
area of the product.
You can add an
OAuth Scope
item to a policy to process JSON web tokens (JWTs) from multiple providers.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Per-Request Policies
    .
    The Per-Request Policies screen opens.
  2. In the
    Name
    field, locate the policy that you want to update, then in the
    Per-Request Policy
    field, click the
    Edit
    link.
    The visual policy editor opens in another tab.
  3. Click the
    Add New Subroutine
    button.
    A popup screen opens.
  4. On the
    Select Subroutine template
    list, retain the selection
    Empty
    , and click
    Save
    .
    The popup screen closes. The subroutine, with the heading
    [+] Subroutine:
    Name
    , displays below the main editor.
  5. Expand the subroutine by clicking the [
    +
    ] icon.
    The subroutine displays.
  6. Click the
    (+)
    icon anywhere in the subroutine to add a new item.
    A small set of actions are provided for building a subroutine.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. On the
    Authentication
    tab, select
    OAuth Scope
    .
  8. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  9. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  10. From
    Token Validation Mode
    , select
    Internal
    .
    This mode allows the OAuth Scope agent to process JSON web tokens from multiple providers.
  11. From
    JWT Provider List
    , select a list.
    Provider lists are configured in the
    Access
    Federation
    JSON Web Token
    Provider List
    area of the product.
  12. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.

Creating a virtual server to manage HTTPS traffic

You can create a virtual server to manage HTTPS traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  5. From the
    HTTP Profile
    list, select
    http
    .
  6. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select
    clientssl
    , and using the Move button, move the name to the
    Selected
    list.
  7. Click
    Finished
    .
The HTTPS virtual server appears in the Virtual Server List screen.

Adding access profile and per-request policy to the virtual server

You associate an access profile with a virtual server for use in establishing an access session. If you have configured a per-request policy, which is for use throughout the access session, you associate it with the virtual server also.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that manages access for the web application you are securing.
  3. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  4. In the Access Policy area, from the
    Per-Request Policy
    list, select the policy that you configured earlier.
  5. Click
    Update
    .
The access profile (and access policy) and the per-request policy are now associated with the virtual server.

Overview: Customizing an OAuth Logon Page

The default OAuth Logon Page agent displays messages that instruct the user to log in using an authorization code or a resource owner password credentials (ROPC) grant type. It displays option buttons from which users select the OAuth provider through whom they want to log in.
For an alternative look and feel, an advanced customization template for the OAuth Logon Page agent is available on DevCentral.
Customization options in the OAuth Logon Page agent enable an admin to add, update, delete, and reorganize the OAuth providers, as well as to configure the fields and text to display.

About the OAuth Logon Page advanced customization template

The OAuth Logon Page advanced customization template provides the code and the images necessary to display a logon page that, by default, looks like this.
OAuth Logon Page (advanced customization template)
No affiliation between F5 Networks, Inc. (and its affiliated companies), and any of the above companies, including their associated products and services, relating to the functionality above, exists or is implied, nor is there any actual or implied recommendation or endorsement thereof.
The template forms a starting point for additional customization to achieve a logon page with the preferred providers, images, colors, fields, and text.
The OAuth Logon Page template is available for download from DevCentral at
devcentral.f5.com
. Instructions for advanced customization with the OAuth Logon Page template are also available in
BIG-IP Access Policy Manager: Advanced Customization Examples
on DevCentral.

Updating OAuth providers on the OAuth Logon Page

You can add, delete, and reorder the list of OAuth providers that display on an OAuth Logon Page.
  1. Open the per-session policy (or the per-request policy subroutine) that you want to update.
  2. Click the
    OAuth Logon Page
    item.
    A Properties screen opens.
  3. In row 1 of the Logon Page Agent table, click the
    Values
    field.
    Row 1 contains values for the
    oauthprovidertype
    variable.
    A popup screen displays options with a
    Value
    and a
    Text
    field for each provider.
  4. Add, delete, or reorder the providers, and click
    Finished
    .
    The popup screen closes. The updated list of providers displays in the
    Values
    field in row 1.
  5. If you added a provider, add a branch rule for that provider:
    1. Click the Branch Rules tab.
    2. Click
      Add Branch Rule
      .
      A new entry with
      Name
      and
      Expression
      settings displays.
    3. In the
      Name
      field, replace the default name by typing a new name.
      The name appears on the branch in the policy.
    4. Select and copy an expression from another branch rule.
      For example, copy the expression displayed for the
      F5
      branch rule:
      expr
      {[
      mcget
      {
      session.logon.last.oauthprovidertype
      }] == "
      F5
      "}
    5. For the branch rule that you added, in the
      Expression
      setting click the
      change
      link.
      A popup screen opens.
    6. Click the Advanced tab, paste the expression into the field, and replace the existing provider name (such as
      F5
      ) with the new provider name.
      For example, the result might look like this:
      expr
      {[
      mcget
      {
      session.logon.last.oauthprovidertype
      }] == "
      Siterequest
      "}
    7. Click
      Finished
      .
      The popup screen closes.
    8. Click
      Save
      .
      The properties screen closes and the policy displays.
  6. Click
    Finished
    .
    The popup screen closes.
  7. If you are working with a per-session policy, click the
    Apply Access Policy
    link.

Overview: Configuring APM as an OAuth resource server gateway

Some applications do not support standard HTTP redirection and cookies. For Access Policy Manager (APM®) to act as an OAuth resource server and provide an OAuth authorization layer into an API gateway, you must configure APM with a special access profile. This access profile also allows only a limited set of policy agents.
As a resource server gateway, APM must validate the tokens it receives. APM supports JSON web tokens (JWT) and validates them internally on the BIG-IP system. APM also supports opaque tokens: to validate them, APM must interact with OAuth providers that are external to the BIG-IP system. APM also supports requesting UserInfo at a URI on an OAuth provider.
A single OAuth Scope agent works to validate tokens internally or externally. If you need to do both, you need two OAuth Scope agents. You can configure them using one access profile and policies that branch to the separate agents. Or you can configure them using two access profiles with policies that each contain an OAuth Scope agent. Those details are up to you. In this example, we walk through configuring one access profile and a policy that includes one OAuth Scope agent.
This configuration supports OAuth client apps that send requests with an HTTP Authorization header that contains an OAuth Bearer token.

Task summary

Creating an access profile for a resource server gateway

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select
    OAuth-Resource Server
    .
    The
    User Identification Method
    setting changes to
    OAuth Token
    .
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Creating APM access and per-request policies for a resource server gateway

Before you start this task, you need to have configured these objects in Access Policy Manager (APM):
  • An OAuth server that supports resource servers only (
    Mode
    is set to
    Resource
    ).
  • An access profile of the
    OAuth-Resource Server
    type.
  • A JSON web token provider list to process JWTs if you plan to process them with this agent.
To use Access Policy Manager (APM) as an OAuth resource server gateway, we advise using an OAuth Scope agent to validate the tokens that APM receives. You can configure an OAuth Scope agent in an access policy, a per-request policy subroutine, or both.
In addition to OAuth Scope, other authentication agents are available. For example, when retrieving a user name from a JWT token, you can then perform an AD/LDAP query to retrieve the user's group and other details for further authorization as well as for generating a brand new token/assertion for the backend SSO server.
  1. Open the access policy in the visual policy editor:
    1. On the Main tab, click
      Access
      Profiles / Policies
      Access Profiles (Per-Session Policies)
      .
      The screen displays a list of access profiles.
    2. Locate the correct access profile.
      Make sure the
      Profile Type
      is set to
      OAuth-Resource Server
      .
    3. In the
      Per-Session Policy
      field, click the
      Edit
      link.
      The visual policy editor opens the access policy in a separate screen.
  2. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  3. To review the subset of agents that are allowed for use with the
    OAuth-Resource Server
    access profile type, click each tab.
  4. To configure the OAuth Scope agent to validate JSON web tokens internally, on the BIG-IP system, perform these substeps:
    You can configure an OAuth Scope agent to validate JWTs internally or to perform validation externally. With external validation, you can validate opaque tokens and get UserInfo. To perform internal validation and external validation requires configuration of more than one OAuth Scope agent.
    To configure external validation instead, skip these substeps.
    1. From
      Token Validation Scope
      , select
      Internal
      .
    2. From
      JWT Provider List
      , select a list of providers.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  5. To configure an OAuth Scope agent to validate opaque tokens or to get UserInfo or both, perform these substeps:
    1. From
      Token Validation Scope
      , select
      External
      .
    2. On the
      Authentication
      tab, select
      OAuth Scope
      .
    3. From the
      Server
      list, select an OAuth server that you know to be configured with
      Mode
      set to
      Resource Server
      .
      Do not select an OAuth server configured with
      Mode
      set to
      Client + Resource Server
      .
    4. From the
      Scopes Request
      list, select a request.
      Only validate-scopes-request type requests display.
      If F5 (APM) is the OAuth provider, select
      F5ScopesRequest
      .
    5. To add scope data requests, click
      Add new entry
      and, in the
      Scope Name
      field, type the name of a scope that the OAuth provider supports; then, from the
      Request
      list, select a scope data request that was configured to meet the requirements of the OAuth provider.
    6. Click
      Save
      .
      The properties screen closes. The policy displays.
  6. To save and apply any changes that you made to the access policy, click
    Apply Access Policy
    .
  7. To add an OAuth Scope agent to a per-request policy subroutine:
    1. On the Main tab, click
      Access
      Profiles / Policies
      Per-Request Policies
      .
    2. To open a per-request policy for editing, click the
      Edit
      link in the
      Per-Request Policy
      field.
      If you must create a per-request policy first, provide a name for it that is unique among all access profiles and per-request policies.
    3. Click
      Add New Subroutine
      .
      A popup screen opens. The
      Subroutine from template
      field specifies
      Empty
      .
    4. Click
      Save
      .
      The popup screen closes. The heading,
      [+] Subroutine:
      Name
      , displays below the main editor.
    5. Expand the subroutine for editing by clicking the
      [+]
      icon.
    6. In the subroutine area, click
      [+]
      .
      An
      Add Item
      popup screen opens.
    7. On the Authentication tab, select
      OAuth Scope
      and click
      Add Item
      .
    8. To configure the
      OAuth Scope
      agent properties, follow the instructions provided in this task previously.
    9. To add the subroutine to the per-request policy, in the main editor click the
      [+]
      icon.
    10. Click the Subroutines tab, select the subroutine, and click
      Add Item
      .
      The subroutine displays in the per-request policy.
To put the access policy into effect, you must specify the access profile in the virtual server. If you configured OAuth authentication in a per-request policy subroutine, you must also specify the per-request policy in that virtual server.

Creating a virtual server to manage HTTPS traffic

You can create a virtual server to manage HTTPS traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  5. From the
    HTTP Profile
    list, select
    http
    .
  6. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select
    clientssl
    , and using the Move button, move the name to the
    Selected
    list.
  7. Click
    Finished
    .
The HTTPS virtual server appears in the Virtual Server List screen.

Adding access profile and per-request policy to the virtual server

You associate an access profile with a virtual server for use in establishing an access session. If you have configured a per-request policy, which is for use throughout the access session, you associate it with the virtual server also.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that manages access for the web application you are securing.
  3. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  4. In the Access Policy area, from the
    Per-Request Policy
    list, select the policy that you configured earlier.
  5. Click
    Update
    .
The access profile (and access policy) and the per-request policy are now associated with the virtual server.

Overview: Using an OAuth token for single sign-on

After Access Policy Manager® (APM®) gets or validates an OAuth token, the token can be used for single sign-on (SSO). Simply create an OAuth bearer SSO configuration and select it from any configuration object where APM lets you do that; for example, in an access profile.
APM gets or validates tokens when OAuth Client or OAuth Scope agents run in a policy.

Task summary

Creating an OAuth bearer SSO configuration to generate JWT

You create an OAuth bearer SSO configuration when you want to allow single-sign on using an OAuth token. SSO generates a signed JWT (JSON web token) and sends it to the backend as an OAuth bearer token.
  1. On the Main tab, select
    Access
    Single Sign-On
    OAuth Bearer
    .
    The OAuth Bearer Configurations screen opens.
  2. Click
    Create
    .
    The New SSO Configuration screen opens.
  3. In the
    Name
    field, type a name for the SSO configuration.
    The maximum length of a single sign-on configuration is 225 characters, including the partition name.
  4. For
    Send Token
    , select when to send the token:
    • To always send the token, select
      Always
      .
    • To send the token when you receive a 4xx response from the server, select
      On 4xx Response
      and choose one or more 4xx responses.
  5. For
    Log Settings
    , select the log settings to use for the access event logs.
    By default, the log settings specified in the access profile are used. You can also create custom log settings or use the
    default-log-setting
    for this SSO configuration. Click
    +
    to create custom settings.
  6. For
    Token Source
    , select
    Generate JWT
    and follow the remaining steps in this task to define the JWT.
  7. For
    Issuer
    , type the URL for the JWT issuer. For example,
    https://jwt-issuer.com
    .
  8. In
    Subject
    , retain the default value,
    %{session.assigned.uuid}
    , or type a subject for the JWT.
    The session variable
    session.assigned.uuid
    contains the UUID that the system assigns to the session after the access policy completes.
  9. To increase performance until the cached JWT expires, click
    Enable Token Cache
    to store the token in cache for the session and reuse it as needed.
  10. For
    Access Token Lifetime
    , type the number of minutes you want the JWT access token to be considered valid.
    The default is 5 minutes.
  11. From
    Signing Key
    , select the JWK key configuration previously created for signing the token.
  12. For
    Audience
    , add the audience claim or claims for which the JWT access token is intended. This is a list of values. Each value in this list can be a string, URI, or session variable.
  13. For
    Scope
    , type one or more space-separated scope strings (using the ASCII character set) or session variables. For example,
    openid phone email
    .
    For example, to create a JWT claim called
    scope
    , specify it here. You cannot use reserved words such as
    scope
    as the name of a JWT claim.
  14. If you created claims for the token, for
    JWT Claims
    , move the previously created claims you want to use to the
    Selected
    list.
  15. The other fields are not required but you can set them if needed.
  16. Click
    Finished
    .
When you configure an APM object that supports single sign-on, it includes an
SSO Configuration
property. Select the SSO bearer configuration from the object where you want to put SSO into effect.

Adding OAuth bearer SSO to an access profile

You add an OAuth bearer SSO configuration to an access profile if you want to allow single sign-on using an OAuth bearer token.
You can also select an SSO configuration from a portal access resource.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. Click
    SSO / Auth Domains
    on the menu bar.
    The SSO Across Authentication Domains screen opens.
  4. From the
    SSO Configuration
    list, select the OAuth bearer SSO configuration you want the access profile to use.
    Other settings on the screen are not relevant when using an OAuth bearer SSO configuration.
  5. Click
    Update
    .
An access profile goes into effect when it is associated with a virtual server.

About OAuth statistics collection

Access Policy Manager (APM®) collects OAuth performance statistics on the BIG-IP system. After you configure and start to use APM as an OAuth server or an OAuth client and resource server, APM collects statistics without requiring any additional setup.

Charting OAuth client and resource server performance

To perform this task, you must be logged into the BIG-IP system in one of these user roles: manager, administrator, or resource administrator.
You chart server performance when you want to see the rate of requests that Access Policy Manager (APM), acting as an OAuth client or resource server or both, processes over a period of time.
  1. On the Main tab, click
    Access
    Overview
    OAuth Reports
    Client / Resource Server
    .
    The x-axis for the chart specifies time. The y-axis specifies the rate: requests per second.
    The screen displays the Overview line graph with data from the last hour. The legend specifies the request types represented by each colored line;
    Error
    represents errors that occurred for any of the requests.
  2. To display the rate of requests for the interval represented by a point in the chart, place your cursor at the point in the chart.
    The legend updates to display the rates.
  3. To get the number of requests for a point in the chart, multiply the rate by the number of seconds in the interval.
    The interval between two consecutive points on a chart depends on the selected
    Time
    .
  4. To generate the chart for another period of time, select one from the
    Time
    list.

OAuth performance chart intervals

The interval between two consecutive points in an OAuth performance chart depends on the time period selected for the chart.
Time
Interval
Last hour
30 seconds
Last 3 hours
1 minute (60 seconds)
Last 12 hours
6 minutes (360 seconds)
Last day
12 minutes (720 seconds)
Last week
1 hour (3600 seconds)
Last 30 days
4 hours (14400 seconds)
Last 3 months
12 hours (43200 seconds)
Last 6 months
1 day (86400 seconds)

OAuth client and resource server troubleshooting tips

You might run into problems with an OAuth client or resource server on the BIG-IP system in some instances. Follow these tips to try to resolve any issues you might encounter.
Log message
Possible explanations and corrective actions
OAuth Client: SSL profile from apmd is missing
The server SSL profile is missing for the OAuth client or resource server that is specified in the OAuth server configuration. Verify the OAuth server configuration on the BIG-IP system.
Invalid URI log
One or more URIs are not configured properly for the OAuth provider. Verify the OAuth provider configuration on the BIG-IP system.
Failed to initialize OAuth agent
This is an internal APMD error; this error should not occur.
OAuth request is not configured for agent
A particular request object is not configured properly. Verify request object configuration on the BIG-IP system.
OAuth Client: state parameters do not match
This is an internal APMD error; this error should not occur.
OAuth Authorization redirect is empty
The authorization redirect request URI is invalid. Verify the OAuth Client agent configuration in the policy and verify the configuration for the authorization redirect request that it specifies.
Authorization code not found
Authorization code sent by the authorization server is not found. There could be a problem on the OAuth client or on the external authorization server. Examine the error logs on the external authorization server.
OAuth Client: Unsupported grant type
An improper grant type was used from the OAuth Client; this error should not occur.
OAuth Client: Unsupported parameter type
A parameter for an OAuth request was invalid; this error should not occur.
OAuth Response is empty from server
The OAuth client (or resource server) received an empty response from the authorization server. Examine the error logs on the external authorization server.
OAuth Scope: Failed to get scope details for scope
The OAuth resource server failed to get scope details. Examine the error logs on the external authorization server.
Unsupported agent type
This is an internal APMD error; this error should not occur.
OAuth Error Code received
The OAuth client received an error code. Use the error code and message to help with troubleshooting.
Access Token validation failed for server
This warning means that the OAuth client agent failed to validate the token. When this happens, the OAuth client tries to refresh or get a new token
OAuth Client: Failed to refresh token for server
This warning means that the OAuth client failed to refresh an access token. When this happens, the OAuth client tries to fetch a new token.
HTTP error 503, connect failed
This error indicates that the OAuth client or resource server failed to connect to the authorization server. Typically, this is caused by one or more configuration issues. Verify that these aspects of your configuration are correct:
  • DNS
  • Default gateway on the BIG-IP system
  • Proper SSL certificates on the OAuth server
Invalid JWS token
Configure JSON web keys (JWKs) to verify this JSON Web Token (JWT) signature; or, request a new valid JWT
Invalid b64url encoded header
The authorization server must include a base64 URL-encoded JSON Object Signing and Encryption (JOSE) header in the JWT.
Invalid JSON
Request a new valid JWT.
Unsecured JWT should have alg none
In an unsecured JWT, the authorization server must send a JOSE header with alg: none.
Empty header: Algorithm(alg) field mandatory
The authorization server must send a JOSE header with the "alg" claim and value.
Empty payload: Issuer(iss) field mandatory
The authorization server must send a JOSE payload with the "iss" claim and value.
crit must be an array of string
If the authorization server sends the "crit" header parameter, it must be a string array.
crit must be a non-empty array of string
If "crit" header parameter is specified in the JWT that the authorization server sends, it must be a non-empty string array.
Invalid JOSE header parameter
The JOSE header parameter sent in the JWT was invalid. Request a new valid JWT.
Unsupported algorithm
Request a JWT signed by an algorithm supported by F5 Client.
Missing mandatory alg header parameter
The authorization server must send a JOSE header with the "alg" claim and value.
No provider supporting alg none is found with issuer
Configure the provider that matches this issuer with allowed algorithms=none.
Issuer Mismatch
Configure the right issuer for this provider; or, request a JWT from the right provider.
Audience not found
The JWT was not meant for this client; or, configure the right audience for the client.
JWT not active before nbf
Invalid JWT received; request a new JWT.
JWT expired
Request another JWT, because the received JWT has expired.
Audience is not string
Configuration on the authorization server that sends JWT must send the audience claim with a string value.
Token blacklisted
The received JWT has been blacklisted; request a new valid JWT.
Signature verification failed
Signature verification of the JWT did not succeed.
Internal error during Signature verification
Check JWK key configuration to match JWT signature
Initialization failed
Make sure the JWK key configuration matches the JWT algorithms
JWT symmetric signature match failed
Configure the correct symmetric key to verify this JWT signature.
No JWK keys found to verify signature
Configure the correct key to verify the received JWT signature.