apm profile oauth
apm profile oauth(1) BIG-IP TMSH Manual apm profile oauth(1)
NAME
oauth - Configures an oauth profile.
MODULE
apm profile
SYNTAX
Configure the oauth component within the profile module using the syntax shown in the following sections.
CREATE/MODIFY
create oauth [name]
modify oauth [name]
options:
access-token-lifetime [integer]
allow-plain-code-challenge [enalbed | disabled]
app-service [[string] | none]
audience [add | delete | none | replace-all-with] {
[string]
}
auth-code-lifetime [integer]
auth-url [string]
client-apps [add | delete | replace-all-with] {
[client-app-name]
}
db-instance [db-instance-name]
defaults-from [[string] | none]
generate-jwt-refresh-token [true | false]
generate-refresh-token [true | false]
id-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
id-token-lifetime [integer]
id-token-primary-key [jwk-config-name]
ignore-expired-cert [true | false]
issuer [string]
jwks-url [string]
jwt-access-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
jwt-access-token-lifetime [integer]
jwt-ec-signature-format [binary | der]
jwt-refresh-token-enc-secret [string]
jwt-refresh-token-lifetime [integer]
jwt-token [enabled | disabled]
opaque-token [enabled | disabled]
openid-cfg-url [string]
openid-connect [enabled | disabled]
per-user-token-limit [integer]
primary-key [jwk-config-name]
require-pkce [enabled | disabled]
refresh-token-lifetime [integer]
refresh-token-usage-limit [integer]
resource-servers [add | delete | replace-all-with] {
[resource-server-name]
}
reuse-access-token [true | false]
reuse-refresh-token [true | false]
rotation-keys [add | delete | none | replace-all-with] {
[jwk-config-name]
}
subject [[string] | none]
token-introspection-url [string]
token-issuance-url [string]
token-revocation-url [string]
trusted-ca-bundle [certificate-file-object-name]
userinfo-claims [add | delete | none | replace-all-with] {
[claim-name]
}
userinfo-primary-key [jwk-config-name]
userinfo-url [string]
edit oauth [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list oauth
list oauth [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth
show running-config oauth [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
show oauth
show oauth [name]
DELETE
delete oauth [name]
DESCRIPTION
You can use the oauth component to configure an oauth profile. An oauth profile is a pre-configured group of settings that
you can use to configure OAuth Authorization Server.
NOTE: For the oauth profile to take effect, this profile must be associated with an access profile. (See man page for apm
access profile.)
EXAMPLES
create oauth myOAuthProfile {
defaults-from oauth
client-apps add { client_1 client_2}
resource-servers add { rs_1 rs_2}
opaque-token enabled
db-instance db_test
jwt-token enabled
openid-connect enabled
issuer https://example.f5.com
primary-key jwk1_hs256
id-token-primary-key jwk1_rs256
generate-jwt-refresh-token true
jwt-refresh-token-enc-secret password
auth-url /f5-oauth2/v1/authorize
token-issuance-url /f5-oauth2/v1/token
token-revocation-url /f5-oauth2/v1/revoke
token-introspection-url /f5-oauth2/v1/introspect
openid-cfg-url /f5-oauth2/v1/.well-known/openid-configuration
jwks-url /f5-oauth2/v1/jwks
userinfo-url /f5-oauth2/v1/userinfo
}
Creates an oauth profile named myOAuthProfile that is based on the default oauth profile named oauth. The profile
serves OAuth requests from client applications named client_1 and client_2 and resource servers named rs_1 and rs_2.
The profile is configured to generate both Opaque and JWT access tokens. For Opaque access token, it uses db instance
named db_test. For JWT access token, it uses issuer named https://example.f5.com, primary key named jwk1_hs256 to sign
JWT tokens and JWT refresh token encryption secret named password for encryption of refresh token generated with the
JWT access token. The profile also supports OpenID Connect. It uses key named jwk1_rs256 to sign ID Tokens.
It uses /f5_oauth2/v1/authorize as the authorization endpoint, /f5-oauth2/v1/token as token issuance endpoint,
/f5-oauth2/v1/revoke as revocation endpoint, /f5-oauth2/v1/introspect as token introspection endpoint for validating
Opaque tokens, /f5-oauth2/v1/.well-known/openid-configuration as OpenID Connect metadata configuration endpoint,
/f5-oauth2/v1/jwks as JWKS endpoint and /f5-oauth2/v1/userinfo as UserInfo endpoint.
list oauth all all-properties
Displays a list of oauth profiles, including parameter values.
delete oauth myOAuthProfile
Deletes the oauth profile named myOAuthProfile.
OPTIONS
access-token-lifetime
Specifies the number of minutes for which the access token should be valid. The default is 5 minutes.
allow-plain-code-challenge
Specifies plain code challenge method is allowed in PKCE flow or not. The default is enabled.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
audience
Specifies the audience claim for which the JWT access token is intended. This is a list of values. Each value in this
list can be a string, URI, or session variable.
auth-code-lifetime
Specifies the number of minutes for which the authorization code should be valid. The default is 5 minutes.
auth-url
Specifies the path of the authorization endpoint that is used to authenticate the resource owner and provide the
authorization code. The default is /f5-oauth2/v1/authorize.
client-apps
Specifies the list of client applications that is served by the OAuth Authorization Server associated with this
profile.
db-instance
Specifies the db instance that is used to store tokens generated by the OAuth Authorization Server that is associated
with this profile.
defaults-from
Specifies the default oauth profile from which this profile is created. The default is oauth.
generate-jwt-refresh-token
Specifies whether a refresh token should be generated along with the JWT access token. This is applicable only for
"Authorization Code" and "Resource Owner Password Credentials" grant types. The default is true.
generate-refresh-token
Specifies whether a refresh token should be generated along with the access token. This is applicable only for
"Authorization Code" and "Resource Owner Password Credentials" grant types.
id-token-claims
Specifies the list of claims that are part of ID token.
id-token-lifetime
Specifies the number of minutes for which the ID token should be valid. The default is 5 minutes.
id-token-primary-key
Specifies the JWK config that is used to retrieve the shared key (symmetric) or private key (asymmetric) used to sign
ID token. If the key is asymmetric, the configured public key will be returned as part of JWKS URL response.
ignore-expired-cert
Specifies whether to ignore the expiry of the certificate used for signing JWT access token. If this value is true,
then the certificate will be used for signing JWT access token even if it is expired. The default is false.
issuer
Specifies the issuer claim that is part of JWT access token. This value must be a URI.
jwks-url
Specifies the path of the JWKS endpoint that returns public signing keys. These keys are used by OAuth Resource
Servers to verify the digital signature of JWT access token. The default is /f5-oauth2/v1/jwks.
jwt-access-token-claims
Specifies the list of claims that are part of JWT access token.
jwt-access-token-lifetime
Specifies the number of minutes for which the JWT access token should be valid. The default is 5 minutes.
jwt-ec-signature-format
Specifies the JWT token signature format for Elliptic Curve. The default is binary format.
jwt-refresh-token-enc-secret
Specifies the JWT refresh token encryption secret that is used to generate an encryption key. This key is used to
encrypt the refresh token when JWT token is enabled.
jwt-refresh-token-lifetime
Specifies the number of minutes for which the JWT refresh token should be valid. The default is 60 minutes.
jwt-token
Specifies whether JWT access token should be generated. The default is false.
opaque-token
Specifies whether opaque (non-JWT) access token should be generated. The default is true.
openid-cfg-url
Specifies the path of OpenID Connect endpoint that returns OpenID Connect configuration. The default is
/f5-oauth2/v1/.well-known/openid-configuration.
openid-connect
Specifies whether this OAuth profile supports OpenID connect or not.
per-user-token-limit
Specifies the maximum number of active access tokens that can be generated for a user. The default is 255. The range
is 0 to 5000.
primary-key
Specifies the JWK config that is used to retrieve the shared key (symmetric) or private key (asymmetric) used to sign
JWT access token. If the key is asymmetric, the configured public key will be returned as part of JWKS URL response.
refresh-token-lifetime
Specifies the number of minutes for which the refresh token should be valid. The default is 480 minutes.
refresh-token-usage-limit
Specifies the maximum number of times the access token can be obtained using the refresh token request. The default
value is 0, which represents unlimited number of times.
resource-servers
Specifies the list of resource servers that is served by the OAuth Authorization Server that is associated with this
profile.
reuse-access-token
Specifies whether an access token is reused or a new access token is generated when it is obtained using refresh token
request. When the access token is reused, its expiry time is extended.
require-pkce
Specifies whether this OAuth profile supports PKCE flow or not. The default is disabled.
reuse-refresh-token
Specifies whether a refresh token is reused or a new refresh token is generated when it is obtained using refresh
token request.
rotation-keys
Specifies one or more JWK configs that contain public keys used as rotation keys. The public keys derived from this
set will be returned as part of JWKS URL response.
subject
Specifies the subject claim that is part of JWT access token. This value can be a string, URI, or session variable.
The default is %{session.assigned.uuid}
token-issuance-url
Specifies the path of token issuance endpoint that is used to issue an access token and possibly a refresh token. The
default is /f5-oauth2/v1/token.
token-revocation-url
Specifies the path of token revocation endpoint that is used to revoke an access token or a refresh token. The default
is /f5-oauth2/v1/revoke.
token-introspection-url
Specifies the path of token introspection endpoint that is used to introspect an access token. The default is
/f5-oauth2/v1/introspect.
trusted-ca-bundle
Specifies the trusted ca bundle that is used during verification of JWK config specified in primary-key that uses
asymmetric key.
userinfo-claims
Specifies the list of claims that are part of UserInfo.
userinfo-primary-key
Specifies the JWK config that is used to retrieve the shared key (symmetric) or private key (asymmetric) used to sign
UserInfo. If the key is asymmetric, the configured public key will be returned as part of JWKS URL response.
userinfo-url
Specifies the path of userinfo endpoint that is used to obtain claims about the authenticated end-user. The default is
/f5-oauth2/v1/userinfo.
SEE ALSO
apm oauth, apm policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2017. All rights reserved.
BIG-IP 2021-05-20 apm profile oauth(1)