Manual Chapter : OAuth Client and Resource Server

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.0.1, 13.0.0
Manual Chapter

OAuth 2.0 authorization servers that APM supports

Access Policy Manager® (APM®) supports OAuth 2.0 only. When configured as an OAuth client and resource server, APM has been tested with these OAuth authorization servers:

  • F5 - APM configured as an OAuth authorization server on another BIG-IP® system.
  • Ping Identity - PingFederate
  • Facebook
  • Google

For compatibility information, see release notes for APM on the AskF5™ web site located at support.f5.com.

APM also supports the configuration of custom providers, that is, external OAuth 2.0 authorization servers that F5 has not tested. Custom providers should comply with RFC 6749.

Grant types that APM supports as an OAuth client

When configured as an OAuth client, Access Policy Manager® (APM®) supports authorization code and resource owner password credentials grant types.

About the OAuth client and resource server configuration

To configure Access Policy Manager® (APM®) as an OAuth client and resource server, first you must create these objects: OAuth providers, OAuth servers, and OAuth requests. Then, you must configure APM policies with agents that reference the objects to get tokens, get permission for scopes, and retrieve scopes.

About OAuth providers

An OAuth provider configuration object specifies authorization server endpoints on an external OAuth authorization server.

About OAuth servers

An OAuth server specifies an OAuth provider and the OAuth role that Access Policy Manager® (APM®) plays with that provider. It also specifies the IDs, secrets, and SSL certificates that APM requires to communicate with the OAuth provider.

About OAuth requests

In Access Policy Manager® (APM®), the request object enables configuration of requests to meet the requirements of your OAuth providers. The object supports requests for scope permission, scope data, authorization redirect, and tokens. It specifies the HTTP method, parameters, and headers to use for the specific type of request.

About OAuth Client

An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also validate tokens and get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:

Server
Specifies the OAuth server to which this OAuth client directs requests.
Grant Type
Specifies the type of grant that the OAuth client uses.
  • Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
  • Password - The client uses resource owner password credentials to request an access token from the OAuth server.
Authentication Redirect Request
Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when Grant Type is set to Authorization code.
Token Request
Specifies a token-request type of request.
Refresh Token Request
Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.
Validate Token Request
Specifies a validation-scopes-request type of request to validate a token and to get a list of scopes associated with a token. APM uses this request on a per-request basis.
Redirection URI
Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays when Grant Type is set to Authorization code.
Scope
Specifies one or more strings separated by spaces; for example contacts photo email. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.

For the Authorization code grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the Password grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.

Note: Requests are configured in the Access > Federation > OAuth Client / Resource Server > Requests area of the product.

About OAuth Scope

The OAuth Scope agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list. The OAuth Scope item provides these elements and options:

Server
Specifies an OAuth server. (OAuth servers in resource server, or client and resource server modes are available for selection.)
Scopes Request
Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token.

There can be multiple scope data requests in this agent with these elements:

Scope Name
Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)
Request
Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.
Note: Requests are configured in the Access > Federation > OAuth Client / Resource Server > Requests area of the product.

Overview: Configuring APM as an OAuth client and resource server

Register Access Policy Manager® (APM®) as a client to an external OAuth authorization server and get information from the external server about the scopes that it supports. Then configure the OAuth providers, servers, and requests to use from Access Policy Manager® (APM®) policies to interact with external OAuth authorization servers.

Task summary

Registering APM with a social media OAuth provider

For users to access resources that Access Policy Manager® (APM®) protects through social media accounts, you must add APM as a client application to an external server that provides OAuth authorization services.
Note: Perform this step whether you plan to use APM in the OAuth client role, the OAuth resource server role, or in both the OAuth client and OAuth resource server roles.
  1. Create a developer account with the provider.
    Go to Google or Facebook developer sites or go to another OAuth provider site.
  2. Log in to your developer account and add APM as a client application.
    Part of configuring APM as a client application should be to supply the provider with a redirect URI. The OAuth server uses it to redirect users back to APM OAuth client after they complete authorization. Type a URI that includes the FQDN for the virtual server you will configure on the BIG-IP system plus /oauth/client/redirect.
    Here is an example redirect URI: https://siterequest.com/oauth/client/redirect.
    Note: Type the correct scheme (HTTPS or HTTP) based on the settings for the virtual server.
  3. Copy the IDs and secrets from the configuration and keep them handy.
    To configure APM as an OAuth client, you need to provide a client ID and client secret when you configure an OAuth server in APM.
    To configure APM as an OAuth resource server, you need to provide a resource server ID and resource server secret when you configure an OAuth server in APM.
    Note: Social media account providers supply only a client ID and client secret; you must use them for the client and resource server IDs and the client and resource server secrets in APM.

Registering APM with an enterprise OAuth provider

To register Access Policy Manager® (APM®) as a client application of an enterprise provider, you must consult the enterprise provider documentation. For example, if F5 provides OAuth authorization services on another BIG-IP® system, you must register APM as a client or as a resource server on that BIG-IP system. F5 provides the necessary instructions in BIG-IP® Access Policy Manager®: Authentication and Single Sign-On on the AskF5™ web site located at support.f5.com.
For users to access resources that Access Policy Manager® (APM®) protects through enterprise accounts, you must add APM as a client application to an external server that provides OAuth authorization services.
Note: Perform this step whether you plan to use APM in the OAuth client role, the OAuth resource server role, or in both the OAuth client and OAuth resource server roles.
  1. Add APM as a client application of the enterprise OAuth authorization server following instructions from the enterprise provider.
    Part of configuring APM as a client application should be to supply the provider with a redirect URI. The OAuth server uses it to redirect users back to APM OAuth client after they complete authorization. Type a URI that includes the FQDN for the virtual server you will configure on the BIG-IP system plus /oauth/client/redirect.
    Here is an example redirect URI: https://siterequest.com/oauth/client/redirect.
    Note: Type the correct scheme (HTTPS or HTTP) based on the settings for the virtual server.
  2. Copy the IDs and secrets from the configuration and keep them handy.
    To configure APM as an OAuth client, you need to provide a client ID and client secret when you configure an OAuth server in APM.
    To configure APM as an OAuth resource server, you need to provide a resource server ID and resource server secret when you configure an OAuth server in APM.

Configuring OAuth providers in APM

You specify the URIs on an external server where Access Policy Manager® (APM®) gets OAuth authorization services when configured as an OAuth client and resource server.
Note: APM provides preconfigured providers named F5, Facebook, Google, and Ping (PingFederate from Ping Identity).
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > Provider .
    The Provider screen opens.
  2. Click Create.
  3. In the Name field, type a name for the object.
  4. From the Type field, select a predefined type of provider, or select Custom.
    If you select a predefined type, the additional fields fill with default values where possible.
  5. In the Authentication URI field, type the URI on the provider where APM should redirect the user for authentication.
  6. In the Token URI field, type the URI on the provider where APM can get a token.
  7. In the Token Validation Scope URI field, type the URI on the provider where APM can get information about a specific token.
  8. Click Finished.
    The new provider displays on the Provider screen.

About OAuth client and resource server roles for APM

A Mode setting in the OAuth server configuration specifies the OAuth roles that you intend Access Policy Manager® (APM®) to play: OAuth client, OAuth resource server, or OAuth client and resource server. You can configure OAuth servers for each or any of the modes on one BIG-IP® system.

About SSL administration for OAuth clients and resource servers

You might need to perform some SSL administration tasks to support communication between Access Policy Manager® (APM®) as an OAuth client and an OAuth resource server, and external OAuth authorization servers. OAuth server objects on APM require a server SSL profile for an OAuth client and for an OAuth resource server.

SSL certificates are configured in the System > Certificate Management > Traffic Certificate Management area of the product.

Server SSL profiles are configured in the Local Traffic > Profiles > SSL > Server area of the product.

For more information, refer to BIG-IP® System: SSL Administration on the AskF5™ web site located at support.f5.com.

Configuring OAuth servers for APM as client and resource server

You configure the OAuth servers that process requests from Access Policy Manager® (APM®).
Note: For APM to play the role of an OAuth client and an OAuth resource server, configure OAuth servers with Mode set to Client + Resource Server.
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > OAuth Server .
    The OAuth Server screen opens.
  2. Click Create.
  3. In the Name field, type a name for the object.
  4. From the Mode list, select Client + Resource Server.
    APM can use this OAuth server to request access tokens and scope details, such as an email address for the user.
    The Client Settings and Resource Server Settings areas display.
  5. From the Type list, to get OAuth authorization services from another BIG-IP® system, retain the default selection F5; otherwise select another type.
    If any providers of the selected type exist, the OAuth Provider field displays one.
  6. From the OAuth Provider list, retain the default selection or select another provider.
  7. From the DNS Resolver list, select a DNS resolver (or click the plus (+) icon, create a DNS resolver, and then select it).
  8. In the Token Validation Interval field, type a number.
    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.
  9. In the Client Settings area, fill in these fields:
    You should have gotten a client ID and client secret when you registered APM as a client of the OAuth authorization server.
    1. In the Client ID field, type or paste the client ID.
    2. In the Client Secret field, type or paste the secret.
    3. From the Client's ServerSSL Profile Name, select a server SSL profile.
  10. In the Resource Server Settings area, fill in these fields.
    You should have gotten an ID and secret from the OAuth authorization server when you registered APM with it.
    Note: Social account providers supply only client ID and client secret. For social account providers, use the client ID and client secret for the client and the resource server IDs and secrets.
    1. In the Resource Server ID field, type or paste the resource server ID (for an enterprise provider).
      For a social provider, type or paste the client ID instead.
    2. In the Resource Server Secret field, type or paste the resource server secret (for an enterprise provider).
      For a social provider, type or paste the client secret instead.
    3. From the Resource Server's ServerSSL Profile Name, select a server SSL profile.
  11. Click Finished.
    The server displays on the OAuth Servers screen.
The OAuth servers that you have configured are available for selection from the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy.

Configuring OAuth servers for APM as a client

You configure the OAuth servers that process requests from Access Policy Manager® (APM®).
Note: For APM to play the role of an OAuth client only, configure OAuth servers with Mode set to Client.
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > OAuth Server .
    The OAuth Server screen opens.
  2. Click Create.
  3. In the Name field, type a name for the object.
  4. From the Mode list, select Client.
    In this mode, APM can request access tokens from this OAuth server; APM can also validate an existing access token and refresh it when expired on a per-request basis.
    The Client Settings area displays.
  5. From the Type list, to get OAuth authorization services from another BIG-IP® system, retain the default selection F5; otherwise select another type.
    If any providers of the selected type exist, the OAuth Provider field displays one.
  6. From the OAuth Provider list, retain the default selection or select another provider.
  7. From the DNS Resolver list, select a DNS resolver (or click the plus (+) icon, create a DNS resolver, and then select it).
  8. In the Token Validation Interval field, type a number.
    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.
  9. In the Client Settings area, fill in these fields:
    You should have gotten a client ID and client secret when you registered APM as a client of the OAuth authorization server.
    1. In the Client ID field, type or paste the client ID.
    2. In the Client Secret field, type or paste the secret.
    3. From the Client's ServerSSL Profile Name, select a server SSL profile.
  10. Click Finished.
    The server displays on the OAuth Servers screen.
The OAuth servers that you have configured are available for selection from the OAuth Client agent when you configure an access policy or a per-request policy.

Configuring OAuth servers for APM as a resource server

You configure the OAuth servers that process requests from Access Policy Manager® (APM®).
Note: For APM to play the role of an OAuth resource server only, configure OAuth servers with Mode set to Resource Server.
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > OAuth Server .
    The OAuth Server screen opens.
  2. Click Create.
  3. In the Name field, type a name for the object.
  4. From the Mode list, select Resource.
    APM can use this OAuth server to request a list of scopes associated with the access token , request details for a particular scope, such as an email address for the user, or to make both types of requests.
    The Resource Server Settings area displays.
  5. From the Type list, to get OAuth authorization services from another BIG-IP® system, retain the default selection F5; otherwise select another type.
    If any providers of the selected type exist, the OAuth Provider field displays one.
  6. From the OAuth Provider list, retain the default selection or select another provider.
  7. From the DNS Resolver list, select a DNS resolver (or click the plus (+) icon, create a DNS resolver, and then select it).
  8. In the Token Validation Interval field, type a number.
    If you configure a per-request policy subroutine to validate the token, the subroutine repeats at this interval, or the expiry time of the access token, whichever is shorter.
  9. In the Resource Server Settings area, fill in these fields.
    You should have gotten an ID and secret from the OAuth authorization server when you registered APM with it.
    Note: Social account providers supply only client ID and client secret. For social account providers, use the client ID and client secret for the client and the resource server IDs and secrets.
    1. In the Resource Server ID field, type or paste the resource server ID (for an enterprise provider).
      For a social provider, type or paste the client ID instead.
    2. In the Resource Server Secret field, type or paste the resource server secret (for an enterprise provider).
      For a social provider, type or paste the client secret instead.
    3. From the Resource Server's ServerSSL Profile Name, select a server SSL profile.
  10. Click Finished.
    The server displays on the OAuth Servers screen.
The OAuth servers that you have configured are available for selection from the OAuth Scope agent when you configure an access policy or a per-request policy.

Configuring requests for preconfigured providers

Configure requests for token validation, getting scopes and scope details, authorization redirect, access token, or refresh token to meet the specifications of the provider.
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > Requests .
    APM supplies several preconfigured requests for these providers: F5 (APM), Facebook, Google, and Ping Identity (PingFederate).
  2. To copy a request:
    Note: You cannot delete or update preconfigured requests. However, you can copy preconfigured requests and update the copies. You can also create new requests.
    1. Click the Copy link.
    2. In the New Request Name field, type a name.
    3. Click Copy.
      The Properties screen for the new request displays.
  3. For the HTTP Method and Type settings, retain the existing values or select new ones.
  4. To edit existing request parameters:
    1. From Request Parameters, select an entry and click Edit.
      The entry populates the Parameter Type and Parameter Name fields, and, for a custom parameter type, the Parameter Value field.
    2. Update the newly populated fields.
      Important: Do not configure a CODE, REFRESH_TOKEN, or STATE parameter. APM adds these parameters automatically when needed.
    3. Click Add.
      The updated request parameters display in the list.
  5. Add, delete, or edit any request parameters.
  6. To add a request header:
    1. In the Header Name field, type a name.
    2. In the Header Value field, type a value.
    3. Click Add.
    The entry displays in the Request Headers field.
  7. Click Update.
The request displays in the list on the screen.
Requests are available for selection in the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy subroutine.

Configuring requests for custom providers

To perform this task, you need to understand the request parameters, request values, request headers, and HTTP method that the external OAuth authorization server supports for the type of request you plan to specify.
You configure a request for token validation, getting scopes and scope details, authorization redirect, access token, or refresh token that meets the specifications of the custom provider.
Note: APM provides preconfigured providers, F5 (APM), Facebook, Google, Ping Identity (PingFederate), and supports configuration of custom providers.
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > Requests .
    APM supplies several preconfigured requests for these providers: F5, Facebook, Google, and Ping Identity (PingFederate).
  2. Click Create.
  3. In the Name field, type a name.
  4. For HTTP Method, retain POST or select GET.
  5. From the Type list, select a request type.
  6. If you selected the scope-data-request type, type a URI in the URI field.
  7. Specify request parameters:
    1. From Parameter Type, select an option.
      If you select custom, the Parameter Value field displays.
    2. In the Parameter Name field, type a name as specified by your provider.
      Important: Do not configure a CODE, REFRESH_TOKEN, or STATE parameter. APM adds these parameters automatically when needed.
    3. In the Parameter Value field, type a value.
    4. Click Add.
      The entry displays in the Request Parameters field.
  8. Add request headers if needed:
    1. In the Header Name field, type a name.
    2. In the Header Value field, type a value.
    3. Click Add.
    The entry displays in the Request Headers field.
  9. Click Finished.
The request displays in the list on the screen.
Requests are available for selection in the OAuth Client and OAuth Scope agents when you configure an access policy or a per-request policy subroutine.

OAuth request type reference

The table lists OAuth request types, and specifies the agents that use them and the policies where they are used.

Request type Description Agents and policies where used
auth-redirect-request Redirects a user to an authorization server. An OAuth Client agent uses this request at the start of a session (from the access policy) and can also use it from a per-request policy subroutine. This request is applicable when the OAuth Client is configured with the authorization code grant.
token-request Accesses an authorization server to obtain an access token or exchange an authorization code for an access token. An OAuth Client agent uses this request at the start of a session (from the access policy) and can also use it from a per-request policy subroutine.
token-refresh-request Refreshes an expired access token. An OAuth Client agent can make token refresh requests from a per-request policy subroutine.
validation-scopes-request Accesses an authorization server to get a list of scopes associated with an access token and to get scope data for those scopes.
  • An OAuth Scope agent uses this request at the start of a session (from the access policy) and can also use it from a per-request policy subroutine. The preconfigured F5ScopesRequest request is designed for use when APM is the OAuth server.
  • An OAuth Client agent can use this request type from a per-request policy subroutine. The preconfigured F5TokenValidation request is designed for use when APM is the OAuth server.
scope-data-request Accesses an authorization server to get scope data. An OAuth Scope agent can use this request type from an access policy and can also use it from a per-request policy subroutine.

Implementation result

The OAuth provider, server, and request objects are ready for use in OAuth Client and OAuth Scope agents in access policies and per-request policy subroutines.

Overview: Configuring policies for OAuth client and resource server

When Access Policy Manager® (APM®) acts as an OAuth client, an OAuth Client policy item can obtain an access token (and a refresh token if configured to do so) at the start of a session through the access policy.

Throughout the session, an OAuth Client policy item can run periodically from a per-request policy subroutine to validate the token, and, when the token expires, make an attempt to refresh the access token (if a refresh token exists) or authenticate the user anew.

When APM acts as an OAuth resource server, an OAuth Scope policy item can be used to validate a token and make scope data requests from the access policy and, periodically, from a per-request policy subroutine.

Task summary

Sample policy: Get an access token once per session

To obtain an access token one time only for the session, you need to configure an access policy. The OAuth Client agent can request a token.

With this access policy, the user logs on through a BIG-IP® system. The OAuth Client agent obtains an access token, and an OAuth Scope agent tries to retrieve the list of scopes associated with the token from the OAuth provider. The session starts. When the token expires, the system makes no attempt to refresh it.

Sample policies: Get a token and validate it for each request

To obtain an access token and to validate it for each request, first you need an access policy to obtain the token.

Access policy for APM as an OAuth client and resource server

To periodically validate and refresh the token, you need a per-request policy subroutine.

Per-request policy runs for each request but subroutine runs at an interval

Sample policy: Validate tokens per-request

When Access Policy Manager® (APM®) acts as an OAuth resource server, an OAuth Scope agent validates tokens obtained from the incoming request.

Per-request policy runs for each request, while subroutine runs only at an interval

Which access profile types support OAuth client and resource server?

The access profile type dictates which policy agents are available for use in an access policy. The access policy agents that Access Policy Manager® (APM®) uses to make requests as an OAuth client or OAuth resource server are available when you configure access policies for these access profile types:

  • LTM-APM: For a web access management configuration.
  • SSL-VPN: For network access, portal access, or application access configurations.
  • ALL: For LTM-APM and SSL-VPN access types.
  • SWG - Explicit: For explicit forward proxy.
  • SWG - Transparent: For transparent forward proxy.

Creating an access profile for OAuth client and resource server

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one these options:
    • LTM-APM: Select for a web access management configuration.
    • SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL: Select to support LTM-APM and SSL-VPN access types.
    • SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Configuring an OAuth Client agent in an access policy

Before you start, you need an OAuth server configured in Access Policy Manager® (APM®) that supports clients (Mode is set to Client or Client + Resource Server) .
You add an OAuth Client agent to an access policy to request authorization from an OAuth server for one or more scopes. You can add more than one OAuth Client item to an access policy, with each item requesting permission for additional scopes.
Note: You can add the OAuth Client agent to the access policy for any of these access profile types: ALL, LTM-APM, SSL-VPN, SWG - Explicit, and SWG -Transparent.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Authentication tab, select OAuth Client.
  5. Click Add Item.
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  6. In the Name field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  7. From the Server list, select an OAuth server.
    Only OAuth servers configured with Mode set to Client or Client + Resource Server display.
  8. From the Grant Type list, select one of these options:
    • Authorization code - Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
    • Password - Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen you must insert a logon page before the OAuth Client item in the access or the per-request policy.
    If you select Authorization code, the Redirection URI field displays.
  9. Select the requests to make to the OAuth server from the access policy.
    • Authentication Redirect Request - Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when Grant Type is set to Authorization code.
    • Token Request - Specifies a token-request type of request.
    You can make selections from the Refresh Token Request and Validate Token Request lists, but the OAuth Client does not use these requests from an access policy.
    Requests are configured in the Access > Federation > OAuth Client / Resource Server > Requests area of the product.
  10. If the Redirection URI field displays, retain the default value (https://%{session.server.network.name}/oauth/client/redirect) or type a URI that points back to the APM client.
    Important: If you type a URI, you must retain this path /oauth/client/redirect. Only change the host name portion of the URI.
    The OAuth server uses the URI to send the user back to APM.
  11. In the Scope field, type one or more scopes separated by spaces.
    Note: Each time you add another OAuth Client agent to a policy, you must include the scopes (for example, email photos) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example, email photos contacts).
    Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
  12. Click Save.
    The Properties screen closes. The newly added item displays in the policy.
  13. If you selected Password from the Grant Type list, you must insert a logon page agent to precede the OAuth Client agent.
    1. Click (+) ahead of the OAuth Client on the policy branch.
    2. On the Logon Page tab, select OAuth Logon Page and click Add Item.
      A Properties screen displays.
    3. Click Save.
      The properties screen closes. The policy displays.
  14. Complete the policy:
    1. Add any branch rules that you need.
      By default, the OAuth Client item has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
    2. Change branch endings as needed; change Deny to Allow where you want to provide access.
  15. Click the Apply Access Policy link to apply and activate the changes to the policy.

Configuring an OAuth Scope agent in an access policy

Before you start, you need an OAuth server that supports resource servers (Mode is set to Resource or Client + Resource Server) configured in Access Policy Manager® (APM®).
You add an OAuth Scope item to a policy to request the list of scopes associated with an access token or to request scope data from the OAuth server.
Note: You can add the OAuth Scope agent to an access policy for any of these access profile types: ALL, LTM-APM, SSL-VPN, SWG - Explicit, and SWG -Transparent.
Note: If the access policy already includes an OAuth Client item, place the OAuth Scope agent somewhere after the OAuth Client on the policy branch.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Authentication tab, select OAuth Scope.
  5. Click Add Item.
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  6. In the Name field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  7. From the Server list, select an OAuth server.
    Only OAuth servers configured with Mode set to Resource Server or Client + Resource Server display.
  8. To get a list of scopes associated with an access token, from the Scopes Request list, select a request to send to the OAuth provider.
    The list displays validation-scopes-request types.
    If F5 (APM) is the OAuth provider, select F5ScopesRequest.
    Requests are configured in the Federation > OAuth Client / Resource Server > Requests area of the product.
  9. To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
    1. Click Add new entry.
      A new line is added to the list of entries.
    2. In the Scope Name field, type the name of a scope that the OAuth provider supports.
      The scope must be associated with the access token. (The user must have granted permission for this scope.)
      For example, some OAuth providers support scopes named email or profile.
    3. From the Request list, select a request.
      The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
  10. Click Save.
    The Properties screen closes. The newly added item displays in the policy.
  11. Complete the policy:
    1. Add any additional policy items you require.
    2. Change the ending from Deny to Allow on any access policy branch on which you want to grant access.
  12. Click the Apply Access Policy link to apply and activate the changes to the policy.

What causes a subroutine to run for an OAuth server?

A per-request policy runs at each request. A per-request policy subroutine runs periodically at whichever of these intervals is shorter: the number of minutes specified in the OAuth server Token Validation Interval field on Access Policy Manager® (APM®), or the interval that the external OAuth authentication server specifies in the expires_in attribute of the access token it issues.

Configuring an OAuth Client agent in a subroutine

Before you start, you need, an OAuth server configured in Access Policy Manager® (APM®) that supports clients (Mode is set to Client or Client + Resource Server) .
You configure a per-request policy subroutine to periodically validate an OAuth token, to obtain a new or a refresh token, to get scopes and scope data.
  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. In the Name field, locate the policy that you want to update, then in the Per-Request Policy field, click the Edit link.
    The visual policy editor opens in another tab.
  3. Click the Add New Subroutine button.
    A popup screen opens.
  4. On the Subroutine from template list, retain the selection Empty, and click Save.
    The popup screen closes. The subroutine, with the heading [+] Subroutine: Name , displays below the main editor.
  5. Expand the subroutine by clicking the [+] icon.
    The subroutine displays.
  6. Click the (+) icon anywhere in the subroutine to add a new item.
    A small set of actions are provided for building a subroutine.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. On the Authentication tab, select OAuth Client.
  8. Click Add Item.
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  9. In the Name field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  10. From the Server list, select an OAuth server.
    Only OAuth servers configured with Mode set to Client or Client + Resource Server display.
  11. From the Grant Type list, select one of these:
    • Authorization code - Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
    • Password - Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen, you must insert a logon page before the OAuth Client item in the access or the per-request policy.
      Note: If you select the password grant type, every time the per-request policy subroutine runs, it must request credentials from the user.
  12. Select requests for the per-request policy to make to the OAuth server.
    • Authentication Redirect Request - Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when Grant Type is set to Authorization code.
    • Token Request - Specifies a token-request type of request.
    • Refresh Token Request - Specifies a token-refresh-request type of request.
    • Validate Token Request - Specifies a validation-scopes-request type of request, which can get a list of scopes for an existing token and get data for the scopes.
      Note: If F5 (APM) is the OAuth provider, select F5TokenValidation.
    Requests are configured in the Access > Federation > OAuth Client / Resource Server > Requests area of the product.
  13. If the Redirection URI field displays, retain the default value (https://%{session.server.network.name}/oauth/client/redirect) or type a URI that points back to the APM client.
    Important: If you type a URI, you must retain this path /oauth/client/redirect. Only change the host name portion of the URI.
    The OAuth server uses the URI to send the user back to APM.
  14. In the Scope field, type one or more scopes separated by spaces.
    Note: Each time you add another OAuth Client agent to a policy, you must include the scopes (for example, email photos) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example, email photos contacts).
    Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
  15. Click Save.
    The Properties screen closes. The newly added item displays in the policy.
  16. If you selected Password from the Grant Type list, you must insert a logon page agent to precede the OAuth Client agent.
    1. Click (+) ahead of the OAuth Client on the policy branch.
    2. On the Logon Page tab, select OAuth Logon Page and click Add Item.
      A Properties screen displays.
    3. Click Save.
      The properties screen closes. The policy displays.
  17. Complete the policy:
    1. Add any branch rules that you need.
      By default, the OAuth Client item has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
    2. Change branch endings as needed; change Deny to Allow where you want to provide access.
  18. Add the subroutine to the per-request policy:
    1. On a per-request policy branch, click the (+) icon.
    2. Select the Subroutines tab.
    3. Select the subroutine and click Add Item.
      The popup screen closes and the policy displays.
  19. To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
    1. Click Subroutine Settings/Rename.
    2. To rename the subroutine, type in the Name field.
    3. To update the timeout, type a number in the Subroutine Timeout (sec) field.
      Important: No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
    4. Click Save.
      The popup screen closes. The subroutine displays in the policy.
To affect network traffic, along with an access policy, a per-request policy must be specified on a virtual server.

Configuring an OAuth Scope agent in a subroutine

Before you start, you need an OAuth server that supports resource servers (Mode is set to Resource or Client + Resource Server) configured in Access Policy Manager® (APM®).
To periodically get scopes and scope data for an existing access token, you configure an OAuth Scope agent in a per-request policy subroutine.
  1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    The Per-Request Policies screen opens.
  2. In the Name field, locate the policy that you want to update, then in the Per-Request Policy field, click the Edit link.
    The visual policy editor opens in another tab.
  3. Click the Add New Subroutine button.
    A popup screen opens.
  4. On the Subroutine from template list, retain the selection Empty, and click Save.
    The popup screen closes. The subroutine, with the heading [+] Subroutine: Name , displays below the main editor.
  5. Expand the subroutine by clicking the [+] icon.
    The subroutine displays.
  6. Click the (+) icon anywhere in the subroutine to add a new item.
    A small set of actions are provided for building a subroutine.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. On the Authentication tab, select OAuth Scope.
  8. Click Add Item.
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  9. In the Name field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  10. From the Server list, select an OAuth server.
    Only OAuth servers configured with Mode set to Resource Server or Client + Resource Server display.
  11. From the Server list, select an OAuth server.
    Only OAuth servers configured with Mode set to Client or Client + Resource Server display.
  12. To get a list of scopes associated with an access token, from the Scopes Request list, select a request to send to the OAuth provider.
    The list displays validation-scopes-request types.
    If F5 (APM) is the OAuth provider, select F5ScopesRequest.
    Requests are configured in the Federation > OAuth Client / Resource Server > Requests area of the product.
  13. To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
    1. Click Add new entry.
      A new line is added to the list of entries.
    2. In the Scope Name field, type the name of a scope that the OAuth provider supports.
      The scope must be associated with the access token. (The user must have granted permission for this scope.)
      For example, some OAuth providers support scopes named email or profile.
    3. From the Request list, select a request.
      The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
  14. Click Save.
    The Properties screen closes. The newly added item displays in the policy.
  15. Add the subroutine to the per-request policy:
    1. On a per-request policy branch, click the (+) icon.
    2. Select the Subroutines tab.
    3. Select the subroutine and click Add Item.
      The popup screen closes and the policy displays.
  16. To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
    1. Click Subroutine Settings/Rename.
    2. To rename the subroutine, type in the Name field.
    3. To update the timeout, type a number in the Subroutine Timeout (sec) field.
      Important: No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
    4. Click Save.
      The popup screen closes. The subroutine displays in the policy.
To affect network traffic, along with an access policy, a per-request policy must be specified on a virtual server.

Creating a virtual server to manage HTTPS traffic

You can create a virtual server to manage HTTPS traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Service Port field, type 443 or select HTTPS from the list.
  5. From the HTTP Profile list, select http.
  6. For the SSL Profile (Client) setting, from the Available list, select clientssl, and using the Move button, move the name to the Selected list.
  7. Click Finished.
The HTTPS virtual server appears in the Virtual Server List screen.

Adding access profile and per-request policy to the virtual server

You associate an access profile with a virtual server for use in establishing an access session. If you have configured a per-request policy, which is for use throughout the access session, you associate it with the virtual server also.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that manages access for the web application you are securing.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  5. Click Update.
The access profile (and access policy) and the per-request policy are now associated with the virtual server.

Overview: Customizing an OAuth Logon Page

The default OAuth Logon Page agent displays messages that instruct the user to log in using an authorization code or a resource owner password credentials (ROPC) grant type. It displays option buttons from which users select the OAuth provider through whom they want to log in.

Note: For an alternative look and feel, an advanced customization template for the OAuth Logon Page agent is available on DevCentral.

Customization options in the OAuth Logon Page agent enable an admin to add, update, delete, and reorganize the OAuth providers, as well as to configure the fields and text to display.

About the OAuth Logon Page advanced customization template

The OAuth Logon Page advanced customization template provides the code and the images necessary to display a logon page that, by default, looks like this.

OAuth Logon Page (advanced customization template)

Note: No affiliation between F5 Networks, Inc. (and its affiliated companies), and any of the above companies, including their associated products and services, relating to the functionality above, exists or is implied, nor is there any actual or implied recommendation or endorsement thereof.

The template forms a starting point for additional customization to achieve a logon page with the preferred providers, images, colors, fields, and text.

The OAuth Logon Page template is available for download from DevCentral™ at devcentral.f5.com. Instructions for advanced customization with the OAuth Logon Page template are also available in BIG-IP® Access Policy Manager®: Advanced Customization Examples on DevCentral.

Updating OAuth providers on the OAuth Logon Page

You can add, delete, and reorder the list of OAuth providers that display on an OAuth Logon Page.
  1. Open the per-session policy (or the per-request policy subroutine) that you want to update.
  2. Click the OAuth Logon Page item.
    A Properties screen opens.
  3. In row 1 of the Logon Page Agent table, click the Values field.
    Row 1 contains values for the oauthprovidertype variable.
    A popup screen displays options with a Value and a Text field for each provider.
  4. Add, delete, or reorder the providers, and click Finished.
    The popup screen closes. The updated list of providers displays in the Values field in row 1.
  5. If you added a provider, add a branch rule for that provider:
    1. Click the Branch Rules tab.
    2. Click Add Branch Rule.
      A new entry with Name and Expression settings displays.
    3. In the Name field, replace the default name by typing a new name.
      The name appears on the branch in the policy.
    4. Select and copy an expression from another branch rule.
      For example, copy the expression displayed for the F5 branch rule:
                                          
      expr {[mcget {session.logon.last.oauthprovidertype}] == "F5"}
    5. For the branch rule that you added, in the Expression setting click the change link.
      A popup screen opens.
    6. Click the Advanced tab, paste the expression into the field, and replace the existing provider name (such as F5) with the new provider name.
      For example, the result might look like this:
                                          
      expr {[mcget {session.logon.last.oauthprovidertype}] == "Siterequest"}
    7. Click Finished.
      The popup screen closes.
    8. Click Save.
      The properties screen closes and the policy displays.
  6. Click Finished.
    The popup screen closes.
  7. If you are working with a per-session policy, click the Apply Access Policy link.

Overview: Configuring APM as an OAuth resource server gateway

Some applications do not support standard HTTP redirection and cookies. For Access Policy Manager® (APM®) to act as an OAuth resource server and provide an OAuth authorization layer into an API gateway, you must configure APM with a special access profile. This access profile also allows only a limited set of policy agents.

This configuration supports OAuth client apps that send requests with an HTTP Authorization header that contains an OAuth Bearer token.

Task summary

Creating an access profile for a resource server gateway

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select OAuth-Resource Server.
    The User Identification Method setting changes to OAuth Token.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Creating APM access and per-request policies for a resource server gateway

Before you start, you need to have configured these objects in Access Policy Manager® (APM®):
  • An OAuth server that supports resource servers only (Mode is set to Resource).
  • An access profile of the OAuth-Resource Server type.
To use Access Policy Manager® (APM®) as an OAuth resource server gateway, you can configure an OAuth Scope agent in an access policy, a per-request policy subroutine, or both.
Important: In the policies, you must use only the subset of agents that are allowed with the OAuth-Resource Server access profile type.
  1. Open the access policy in the visual policy editor:
    1. On the Main tab, click Access > Profiles / Policies > Access Profiles (Per-Session Policies) .
      The screen displays a list of access profiles.
    2. Locate the correct access profile.
      Look in the Profile Type field for OAuth-Resource Server.
    3. In the Per-Session Policy field, click the Edit link.
      The visual policy editor opens the access policy in a separate screen.
  2. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  3. To review the subset of agents that are allowed for use with the OAuth-Resource Server access profile type, click each tab.
  4. To add an OAuth Scope agent to the access policy:
    1. On the Authentication tab, select OAuth Scope.
    2. From the Server list, select an OAuth server that you know to be configured with Mode set to Resource Server.
      Important: Do not select an OAuth server configured with Mode set to Client + Resource Server.
    3. From the Scopes Request list, select a request.
      Only validate-scopes-request type requests display.
      If F5 (APM) is the OAuth provider, select F5ScopesRequest.
    4. To add scope data requests, click Add new entry and, in the Scope Name field, type the name of a scope that the OAuth provider supports; then, from the Request list, select a scope data request that was configured to meet the requirements of the OAuth provider.
    5. Click Save.
      The properties screen closes. The policy displays.
  5. To save and apply any changes that you made to the access policy, click Apply Access Policy.
  6. To add an OAuth Scope agent to a per-request policy subroutine:
    1. On the Main tab, click Access > Profiles / Policies > Per-Request Policies .
    2. To open a per-request policy for editing, click the Edit link in the Per-Request Policy field.
      Note: If you must create a per-request policy first, provide a name for it that is unique among all access profiles and per-request policies.
    3. Click Add New Subroutine.
      A popup screen opens. The Subroutine from template field specifies Empty.
    4. Click Save.
      The popup screen closes. The heading, [+] Subroutine: Name , displays below the main editor.
    5. Expand the subroutine for editing by clicking the [+] icon.
    6. In the subroutine area, click [+].
      An Add Item popup screen opens.
    7. On the Authentication tab, select OAuth Scope and click Add Item.
    8. To configure the OAuth Scope agent properties, follow the instructions provided in this task previously.
    9. To add the subroutine to the per-request policy, in the main editor click the [+] icon.
    10. Click the Subroutines tab, select the subroutine, and click Add Item.
      The subroutine displays in the per-request policy.
To put the access policy into effect, you must specify the access profile in the virtual server. If you configured a per-request policy subroutine, you must also specify the per-request policy in that virtual server.

Creating a virtual server to manage HTTPS traffic

You can create a virtual server to manage HTTPS traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Service Port field, type 443 or select HTTPS from the list.
  5. From the HTTP Profile list, select http.
  6. For the SSL Profile (Client) setting, from the Available list, select clientssl, and using the Move button, move the name to the Selected list.
  7. Click Finished.
The HTTPS virtual server appears in the Virtual Server List screen.

Adding access profile and per-request policy to the virtual server

You associate an access profile with a virtual server for use in establishing an access session. If you have configured a per-request policy, which is for use throughout the access session, you associate it with the virtual server also.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that manages access for the web application you are securing.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. In the Access Policy area, from the Per-Request Policy list, select the policy that you configured earlier.
  5. Click Update.
The access profile (and access policy) and the per-request policy are now associated with the virtual server.

Overview: Using an OAuth token for single sign-on

After Access Policy Manager® (APM®) gets or validates an OAuth token, the token can be used for single sign-on (SSO). Simply create an OAuth bearer SSO configuration and select it from any configuration object where APM lets you do that; for example, in an access profile.

APM gets or validates tokens when OAuth Client or OAuth Scope agents run in a policy.

Task summary

Creating an OAuth bearer SSO configuration

You create an OAuth bearer SSO configuration when you want to allow single-sign on using an OAuth token that Access Policy Manager® (APM®) has gotten or validated from an external OAuth authorization server.
  1. On the Main tab, select Access > Single Sign-On > OAuth Bearer .
    The OAuth Bearer Configurations screen opens.
  2. Click Create.
    The New SSO Configuration screen opens.
  3. In the Name field, type a name for the SSO configuration.
  4. In the SSO Method Configuration area, select a server from the OAuth Server list.
  5. Click Finished.
When you configure an APM object that supports single sign-on, it includes an SSO Configuration property. Select the SSO bearer configuration from the object where you want to put SSO into effect.

Adding OAuth bearer SSO to an access profile

You add an OAuth bearer SSO to an access profile if you want to allow SSO using an OAuth token from the access profile.
Note: You can also select an SSO configuration from objects such as an Exchange profile, a SAML resource, or a portal access resource.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. Click SSO / Auth Domains on the menu bar.
    The SSO Across Authentication Domains screen opens.
  4. From the SSO Configurations list, select an OAuth bearer SSO configuration.
    Other settings on the screen are not relevant when using an OAuth bearer SSO configuration.
  5. Click Update.
An access profile goes into effect when it is specified in a virtual server.

About OAuth statistics collection

Access Policy Manager® (APM®) collects OAuth performance statistics on the BIG-IP® system. After you configure and start to use APM as an OAuth server or an OAuth client and resource server, APM collects statistics without requiring any additional setup.

Charting OAuth client and resource server performance

To perform this task, you must be logged into the BIG-IP® system in one of these user roles: manager, administrator, or resource administrator.
You chart server performance when you want to see the rate of requests that Access Policy Manager® (APM®), acting as an OAuth client or resource server or both, processes over a period of time.
  1. On the Main tab, click Access > Overview > OAuth Reports > Client / Resource Server .
    The x-axis for the chart specifies time. The y-axis specifies the rate: requests per second.
    The screen displays the Overview line graph with data from the last hour. The legend specifies the request types represented by each colored line; Error represents errors that occurred for any of the requests.
  2. To display the rate of requests for the interval represented by a point in the chart, place your cursor at the point in the chart.
    The legend updates to display the rates.
  3. To get the number of requests for a point in the chart, multiply the rate by the number of seconds in the interval.
    The interval between two consecutive points on a chart depends on the selected Time.
  4. To generate the chart for another period of time, select one from the Time list.

OAuth performance chart intervals

The interval between two consecutive points in an OAuth performance chart depends on the time period selected for the chart.

Time Interval
Last hour 30 seconds
Last 3 hours 1 minute (60 seconds)
Last 12 hours 6 minutes (360 seconds)
Last day 12 minutes (720 seconds)
Last week 1 hour (3600 seconds)
Last 30 days 4 hours (14400 seconds)
Last 3 months 12 hours (43200 seconds)
Last 6 months 1 day (86400 seconds)

OAuth client and resource server troubleshooting tips

You might run into problems with an OAuth client or resource server on the BIG-IP® system in some instances. Follow these tips to try to resolve any issues you might encounter.

Log message Possible explanations and corrective actions
OAuth Client: SSL profile from apmd is missing The server SSL profile is missing for the OAuth client or resource server that is specified in the OAuth server configuration. Verify the OAuth server configuration on the BIG-IP® system.
Invalid URI log One or more URIs are not configured properly for the OAuth provider. Verify the OAuth provider configuration on the BIG-IP system.
Failed to initialize OAuth agent This is an internal APMD error; this error should not occur.
OAuth request is not configured for agent A particular request object is not configured properly. Verify request object configuration on the BIG-IP system.
OAuth Client: state parameters do not match This is an internal APMD error; this error should not occur.
OAuth Authorization redirect is empty The authorization redirect request URI is invalid. Verify the OAuth Client agent configuration in the policy and verify the configuration for the authorization redirect request that it specifies.
Authorization code not found Authorization code sent by the authorization server is not found. There could be a problem on the OAuth client or on the external authorization server. Examine the error logs on the external authorization server.
OAuth Client: Unsupported grant type An improper grant type was used from the OAuth Client; this error should not occur.
OAuth Client: Unsupported parameter type A parameter for an OAuth request was invalid; this error should not occur.
OAuth Response is empty from server The OAuth client (or resource server) received an empty response from the authorization server. Examine the error logs on the external authorization server.
OAuth Scope: Failed to get scope details for scope The OAuth resource server failed to get scope details. Examine the error logs on the external authorization server.
Unsupported agent type This is an internal APMD error; this error should not occur.
OAuth Error Code received The OAuth client received an error code. Use the error code and message to help with troubleshooting.
Access Token validation failed for server This warning means that the OAuth client agent failed to validate the token. When this happens, the OAuth client tries to refresh or get a new token
OAuth Client: Failed to refresh token for server This warning means that the OAuth client failed to refresh an access token. When this happens, the OAuth client tries to fetch a new token.
HTTP error 503, connect failed This error indicates that the OAuth client or resource server failed to connect to the authorization server. Typically, this is caused by one or more configuration issues. Verify that these aspects of your configuration are correct:
  • DNS
  • Default gateway on the BIG-IP system
  • Proper SSL certificates on the OAuth server