Manual Chapter : Configuring an OAuth server for APM as client and resource server

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Seamless OAuth with Okta and RADIUS MFA

Updated Date: 04/30/2026

Configuring an OAuth server for APM as client and resource server

You configure the OAuth servers that process requests from Access Policy Manager (APM).

Note: For APM to play the role of an OAuth client and an OAuth resource server, configure OAuth servers with Mode set to Client + Resource Server.

  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > OAuth Server.

    The OAuth Server screen opens.

  2. Click Create.

  3. In the Name field, type a name for the object.

  4. From the Mode list, select Client + Resource Server.

    APM can use this OAuth server to request access tokens and scope details, such as an email address for the user.

    The Client Settings and Resource Server Settings areas display.

  5. From the Type list, select Okta.

  6. From the OAuth Provider list, select the Okta OAuth provider you defined.

  7. From the DNS Resolver list, select a DNS resolver (or click the plus (+) icon, create a DNS resolver, and then select it).

  8. In the Token Validation Interval field, type a number.

    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.

  9. In the Client Settings area, fill in these fields:

    You should have gotten a client ID and client secret when you registered APM as a client of the OAuth authorization server.

    1. In the Client ID field, type or paste the client ID.

    2. In the Client Secret field, type or paste the secret.

    3. From the Client’s ServerSSL Profile Name, select a server SSL profile.

  10. In the Resource Server Settings area, fill in these fields.

    You should have gotten an ID and secret from the OAuth authorization server when you registered APM with it.

    Note: Social account providers supply only client ID and client secret. For social account providers, use the client ID and client secret for the client and the resource server IDs and secrets.

    1. In the Resource Server ID field, type or paste the resource server ID (for an enterprise provider).

      For a social provider, type or paste the client ID instead.

    2. In the Resource Server Secret field, type or paste the resource server secret (for an enterprise provider).

      For a social provider, type or paste the client secret instead.

    3. From the Resource Server’s ServerSSL Profile Name, select a server SSL profile.

  11. Click Finished.

    The server displays on the OAuth Servers screen.

You can now select the OAuth server that you configured from the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy.