Manual Chapter : Creating an OAuth authentication subroutine

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Seamless OAuth with Okta and RADIUS MFA

Updated Date: 04/30/2026

Creating an OAuth authentication subroutine

You should have a per-request policy, an OAuth authentication server for authentication with Okta, and RADIUS server for authentication with MFA.

Create the subroutines to allow continuous checks and authentication with OAuth and MFA when the user goes to a specific URL.

  1. From the Main tab, click Access > Profiles / Policies > Per-Request Policies.

  2. Find the policy you want to edit, and in the Per-Request Policy column, click Edit.

  3. In the per-request policy, click Add New Subroutine.

  4. Name the subroutine for use with OAuth and MFA. For example, OAuth Login.

  5. Click Save.

  6. Expand the subroutine, and click the plus to add a new item.

  7. Click the Authentication tab, select OAuth Client, and click Add Item.

  8. Configure the OAuth client settings for your environment.

  9. Click Save.

  10. On the Successful branch, click the plus to add a new item.

  11. Click the Authentication tab, select OAuth Scope, and click Add Item.

  12. Configure the OAuth scope settings for your environment.

  13. Click Save.

  14. On the Successful branch, click (+) to add a new item.

  15. Click the Assignment tab, select Variable Assign, and click Add Item.

  16. Click Add new entry.

  17. On the left, select Custom Variable and type subsession.logon.last.username.

  18. On the right, select Session Variable and type subsession.oauth.client.last.id_token.preferred_username.

  19. Specify terminals for success and fail branches.

    This example shows a completed subroutine for OAuth auth.

The OAuth auth subroutine is now configured.

Configure the MFA subroutine, and add the subroutines to a per-request policy.