Applies To:
Show VersionsBIG-IP APM
- 13.1.5, 13.1.4
OAuth grant types
As an OAuth authorization server, Access Policy Manager® (APM®) supports the grant types in this table.
Grant Type | Description |
---|---|
Authorization code | An OAuth client directs a resource owner to an authorization server. As the OAuth authorization server, APM authenticates the resource owner and directs it back to the client with an authorization code. The client then uses the authorization code to get an access token. |
Implicit | A client gets a token from the authorization server directly, based on resource owner authorization and without the exchange of intermediate credentials (such as an authorization code). This grant type is optimized for clients that are implemented using a scripting language in a browser. (Refresh tokens are not available with this grant type.) |
Resource owner password credentials | A client goes directly to the authorization server and uses the resource owner credentials to obtain a token. |
OAuth authorization server endpoints
As an OAuth authorization server, Access Policy Manager® (APM®) supports the endpoints listed in this table for interactions with resource owners and clients on the BIG-IP® system. APM supplies default URIs for each endpoint. Users can replace the default URIs.
Authorization Server Endpoint | Description |
---|---|
Authorization endpoint | As defined in the OAuth 2.0 authorization framework specification (RFC 6749), this endpoint is for use by a client to obtain authorization from the resource owner through user-agent redirection. The authorization server verifies the identity of the resource owner and interacts with the resource owner to obtain the authorization grant for the client. Defaults to /f5-oauth2/v1/authorize. |
Token issuance endpoint | Specifies the endpoint for the client to use to obtain an access token or a refresh token, per RFC 6749. Defaults to /f5-oauth2/v1/token. |
Token revocation endpoint | Specifies the endpoint for the client to use to revoke a previously obtained access token or refresh token, as an extension of RFC 6749. Defaults to /f5-oauth2/v1/revoke. |
Token introspection endpoint | As defined in the OAuth 2.0 token introspection specification (RFC 7662), clients and resource servers get information about the token, such as its status (active or not active), the scopes assigned to it, issue date, expiration date, and so on. Defaults to /f5-oauth2/v1/introspect. |
OpenID Connect Configuration Endpoint | As defined in the OpenID Connect Discovery 1.0 specification, this defines the location of the OpenID provider configuration document. Defaults to /f5-oauth2/v1/.well-known/openid-configuration. |
About OAuth token types
As an OAuth authorization server, Access Policy Manager® (APM®) supports bearer access tokens, and refresh tokens. For use as bearer access tokens and refresh tokens, APM supports opaque tokens and JSON web tokens.
About access tokens
As defined in the OAuth 2.0 specification (RFC 6749), an access token is a credential used to access protected resources. An access token is a string that represents an authorization issued to the client. A token represents specific scopes and durations of access granted by the resource owner. The resource server and the authorization server enforce the scopes and durations of access.
About refresh tokens
As defined in the OAuth 2.0 specification (RFC 6749), a refresh token is a credential used to obtain an access token. The client uses a refresh token to get a new access token from the authorization server when the current access token expires. If refresh tokens are enabled in the configuration, the OAuth authorization server issues a refresh token to the client when it issues an access token.
A refresh token is a string. It represents the authorization that the resource owner grants to the client. Unlike access tokens, a refresh token is for use with authorization servers only, and is never sent to a resource server.
About opaque tokens
Opaque tokens are issued in a proprietary format. Only the OAuth authorization server that issues the token can read it and validate it. The OAuth authorization server stores an opaque token for its lifetime and offers the ability to revoke the token. Use of opaque tokens forces client apps to communicate with the authorization server.
About JSON web tokens
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information in a JSON object between OAuth entities. This information can be verified and trusted because it is digitally signed. JSON tokens are not stored on an OAuth authorization server and they cannot be revoked.
Overview: Configuring APM as an OAuth 2.0 authorization server
You can configure a BIG-IP® system with Access Policy Manager® (APM®) to act as an OAuth authorization server. OAuth client applications and resource servers can register to have APM authorize requests.
Task summary
Registering a client application for OAuth services
Registering a resource server for OAuth services
Configuring OAuth scopes of access for client apps
Configuring JWT claims for client apps
Configuring JWKs for OAuth authorization server
Managing storage for opaque tokens
Creating an OAuth profile
Enabling or disabling opaque tokens and JSON web tokens
Configuring opaque token settings in an OAuth profile
Configuring support for JWTs in an OAuth profile
About key rotation for JWTs
Access Policy Manager® (APM®) does not support automatic rotation of signing keys for JSON web tokens (JWTs). To configure signing keys, an administrator selects a primary key in the OAuth profile for authorization server configurations, and optionally, can specify rotation keys. To determine when to update the primary key and when to add or to update rotation keys, an administrator might consider factors such as when the certificates in the keys expire, and how long JWTs that use a particular key remain valid.
Creating an access profile for F5 as an OAuth authorization server
Sample policy: Logon, authenticate, and authorize
Access policy for APM as an OAuth authorization server
The Logon Page and OAuth Authorization agents are required in the access policy for Access Policy Manager® (APM®) to act as an OAuth authorization server. An authentication agent, such as AD Auth, is optional; if included in a policy, an authentication agent should be placed after the Logon Page and before the OAuth Authorization agent.
About OAuth Authorization
When Access Policy Manager® (APM®) is configured to act as an OAuth authorization server, an OAuth Authorization agent must be present in the access policy.
The OAuth Authorization agent provides these elements and options.
- Prompt for Authorization
-
- Enabled - Displays the OAuth Authorization page. The page requests authorization for the client application to access a list of scopes and presents the options to allow or to deny access.
- Disabled - Does not display the OAuth Authorization page.
- Subject
- Type the name of a subject claim (for JSON web tokens).
- Audience
-
Specifies the audiences for the claims (for JSON web tokens).
- Scope / Claim Assign
-
Specifies the scopes or the claims for which authorization is requested. If no scopes or claims are specified here, the ones configured in APM for the client application are used.
- Customization
- Customize the messages that display on the OAuth authorization page when Prompt
for Authorization is set to Enabled:
- Authorize Message Specifies the initial wording for the prompt.
- Scope Message Specifies the wording that precedes the list of scopes that are specified in the Scope / Claim Assign area of this screen.
- Allow Message Provides the label for the button that allows access.
- Deny Message Provides the label for the button that denies access.
Configuring an access policy for F5 as an OAuth authorization server
Creating a client SSL profile for certificate inspection
Creating a virtual server for OAuth authorization server traffic
Overview: Localizing an OAuth authorization screen
The text on an OAuth authorization screen is a composite of captions and descriptions configured in a few different objects. When you set out to customize the authorization screen, you need to know where the text comes from.
An example OAuth Authorization screen
Element | Where configured |
---|---|
1 | OAuth Authorization agent, Authorize Message field. |
2 | Client application object, Website URL Logo field. (Providing a different logo for different locales is not supported.) |
3 | Client application object, Caption field. |
4 | Client application object, Detailed Description field. |
5 | Client application object, Caption field supplies the application name. |
6 | OAuth Authorization agent, Scope Message field supplies the phrase which defaults to request permission to do the following. |
7 | OAuth scope objects, Detailed Description field. |
8 | OAuth Authorization agent, Allow Message and Deny Message fields. |
Task summary
Localizing an OAuth client application
Localizing an OAuth scope
About customization for policy agents
If an access or per-request policy agent supports customization, customization settings are available in agent properties from within the visual policy editor. The same customization settings are also available for the agent in the support.f5.com.
area of the BIG-IP® system. For more information, see BIG-IP® Access Policy Manager® (APM®) Customization on the AskF5™ web site located atOverview: Managing opaque access tokens
Access Policy Manager® (APM®) stores access tokens in on-disk databases for their lifetimes.
Task summary
Revoking opaque access tokens
Purging opaque tokens from a database instance
Obtaining a list of OAuth IDs for purged access tokens
oauth_id purged_time --------------------------------------------------------------------------- 07c64b01e360f43ff4e2b561107de9f4aa5ca14e54b5e72e 2016-09-29 02:00:01
About OAuth statistics collection
Access Policy Manager® (APM®) collects OAuth performance statistics on the BIG-IP® system. After you configure and start to use APM as an OAuth server or an OAuth client and resource server, APM collects statistics without requiring any additional setup.
Charting OAuth server performance
OAuth performance chart intervals
The interval between two consecutive points in an OAuth performance chart depends on the time period selected for the chart.
Time | Interval |
---|---|
Last hour | 30 seconds |
Last 3 hours | 1 minute (60 seconds) |
Last 12 hours | 6 minutes (360 seconds) |
Last day | 12 minutes (720 seconds) |
Last week | 1 hour (3600 seconds) |
Last 30 days | 4 hours (14400 seconds) |
Last 3 months | 12 hours (43200 seconds) |
Last 6 months | 1 day (86400 seconds) |
Charting OAuth opaque token usage
Opaque access token status
The OAuth access token report displays a status for each opaque access token. This table defines each status.
Access Token Status | Description |
---|---|
ACTIVE | A token status is active when the token is granted and remains active until an event occurs that changes the status. |
EXPIRED | Token status changes to expired only when a validation request is attempted on a token that has passed its expiration date. |
REVOKED | Token status changes to revoked when a client or an administrator revokes that access token. |
OAuth authorization server troubleshooting tips
You might run into problems with an OAuth authorization server on the BIG-IP® system in some instances. Follow these tips to try to resolve any issues you might encounter.
Log message | Possible explanations and corrective actions |
---|---|
Invalid grant type requested in OAuth mode | An OAuth profile might not be specified in the access profile. Verify that the access profile specifies an OAuth profile. |
OAuth mode not set for Authorization Agent: Incoming OAuth request might not match the configured OAuth endpoints or could be failing for other reasons. | Incoming OAuth request might not match the configured OAuth endpoints. |
OAuth mode not set for Authorization Agent: OAuth profile is not configured for this access profile. | OAuth profile is not specified in the access profile. |
The client app does not support Auth code grant | The Authorization Code grant type is not selected in the client app configuration. |
The client app does not support Implicit grant | The Implicit grant type is not selected in the client app configuration. |
The client app does not support ROPC grant | The Resource Owner Password Credentials grant type is not selected in the client app configuration. |
OAuth mode not set for Authorization Agent | An OAuth profile might not be specified in the access profile. Verify that the access profile specifies an OAuth profile. |
Invalid Scope: 'name' | The client application sent a request with an invalid scope, name.
|
Client ID 0fb9b2... IP 165.160.15.20 attempted to use Auth Code 03f59e... given to client ID 093eb2... |
A client application tried to use an authorization code that the Authorization Server provided to another client application. Any remediation action, such as unregistering the app, is at the admin's discretion. |
Client ID 093eb2... IP 165.160.15.20 attempted to use already consumed Auth Code 03f59e... | An authorization code can be used to retrieve an access token once only. This error message indicates that the Authorization server detected a client application presenting the same authorization code to retrieve an access token more than once. Any remediation action, such as notifying the app developer or unregistering the app, is at the admin's discretion. |
Failed to initiate DB synchronization (ERR_DB) | The error code might help indicate what problem was seen. This error can also occur if the OAuth plugin restarted. |
Request Introspect Token from ID bd3d27... IP 165.160.15.20 failed. Error Code (invalid_request) Error Description (Required parameter (resource_server_secret) is missing) | The error description field provides the detailed reason why a request failed. The reason could vary from missing a required field in the request to an out-of-memory situation in the traffic management microkernel (TMM) process, and so on. The error description should be detailed enough to help with troubleshooting. |
Request Auth Code from Source ID 052ae66... IP 165.160.15.20 failed. Error Code (server_error) Error Description (Assigned scopes exceed buffer size limit.) | All assigned scopes (space separated) are returned to the client application.
However, if all assigned scope names exceed 1000 bytes, this error message will be
generated. To resolve the problem, you can:
Note: The maximum length
for one scope name is 400 characters. The maximum length for all the scope names
assigned to the client app and separated by spaces is 1000 characters (1000
bytes).
|
Request Auth Code from Source ID 052ae6... IP 165.160.15.20 failed. Error Code (server_error) Error Description (Assigned scopes cause scope_data to exceed buffer size limit.) | Scope data (scope_data) is JSON-formatted output that contains all assigned scope
names and their values. Whenever the JSON-formatted output length exceed 4000 bytes,
this error is generated. To resolve the problem, you can:
Note: The maximum length
for one scope name is 400 characters. The maximum length for one scope value is 3500
characters. The maximum length for all scope data (scope names, scope values,
spaces, and formatting characters) is 4000 characters (4000 bytes).
|
Failed to register OAuth global tmstat table (ERR_MEM) | These are OAuth global TMSTAT initialization related failures. These events are unlikely. Restarting TMM could help. For more information, refer to SOL89999342: BIG-IP daemons (12.x) on the AskF5™ web site located at support.f5.com. |
Failed to create OAuth global tmstat row (ERR_MEM) | |
Failed to set OAuth global tmstat field name (ERR_MEM) | |
Failed to get OAuth global stats row during tmstat initialization (ERR_UNKNOWN) | This is an OAuth global TMSTAT initialization related failure. This is an unlikely event. Restarting TMM could help. |
Request Access Token from Source ID 052ae666629882d29c0e385ce9380023e96cf9c0a5ae4857 IP 10.192.144.45 failed. Error Code (server_error) Error Description (JWT AT signing failed) | Indicates that the JSON web token (JWT) access token signature generation failed. It might fail due to an invalid JSON web key (JWK) configuration being used on the OAuth Profile. |
Request Access Token from Source ID 052ae666629882d29c0e385ce9380023e96cf9c0a5ae4857 IP 10.192.144.45 failed. Error Code (server_error) Error Description (JWT AT signing failed due to expired cert) | Indicates that the certificate used by the assigned JWK on the OAuth Profile has expired. Either create a configuration with valid certificate or enable the Ignore expired certificate validation check box on the OAuth Profile. |
Request Access Token from Source ID 052ae666629882d29c0e385ce9380023e96cf9c0a5ae4857 IP 10.192.144.45 failed. Error Code (server_error) Error Description (Unexpected: JWT subject JSON format out of bound.) | Indicates the subject field value length is too large. Change the configuration to reduce the size of subject's value. |
Request Access Token from Source ID 052ae666629882d29c0e385ce9380023e96cf9c0a5ae4857 IP 10.192.144.45 failed. Error Code (server_error) Error Description (Generate JWT Access/Refresh token size exceeds available buffer size limit. | This indicates the generated access token size is too large than the currently supported size limit of 16 K. Create a configuration using fewer claims and scopes, shorten the claim and scope values, and so on. |
Request Access Token from Source ID 052ae666629882d29c0e385ce9380023e96cf9c0a5ae4857 IP 10.192.144.45 failed. Error Code (server_error) Error Description (Refresh token encryption failed) | While generating the JWT refresh token, encryption failed. This indicates a problem with the JWT Refresh Token Encryption Secret configuration or an issue with crypto operations. |