apm policy agent oauth-authz
apm policy agent oauth-authz(1BIG-IP TMSH Manuaapm policy agent oauth-authz(1)
NAME
oauth-authz - Manages an OAuth Authorization agent.
MODULE
apm policy agent
SYNTAX
Configure the oauth-authz component within the policy agent module
using the following syntax.
CREATE/MODIFY
create oauth-authz [name]
modify oauth-authz [name]
options
app-service [[string] | none]
customization-group [[string] | none]
entries [ add | delete | modify | none | replace-all-with] {
[entry-name] {
options:
app-service [[string] | none]
expression [[string] | none]
scope-entries [ add | delete | modify | none | replace-all-with] {
[scope-entry-name] {
options:
app-service [[string] | none]
scope-name [scope-name]
scope-value [[string] | none]
}
}
}
}
prompt-for-authorization [true | false]
edit oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list oauth-authz
list oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth-authz
show running-config oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
app-service
customization-group
entries
non-default-properties
one-line
partition
prompt-for-authorization
recursive
DELETE
delete oauth-authz [name]
DESCRIPTION
You can use the oauth-authz component to create and manage an OAuth
Authorization agent that provides OAuth Authorization server
functionality, and also manage scopes to provide different level of
access control based on end user's role or any other criteria.
EXAMPLES
create oauth-authz MyOAuthAuthzAgent {
customization-group "company_authz"
entries add {
0 {
expression "expr {return true}"
scope-entries add {
0 {
scope-name "name"
scope-value "%{session.logon.last.name}"
}
1 {
scope-name "email"
scope-value "test@company.com"
}
2 {
scope-name "domain"
scope-value "%{session.logon.last.domain}"
}
}
}
1 {
expression "expr {[mcget {session.logon.last.name}] == "testuser"}"
scope-entries add {
0 {
scope-name "project"
scope-value "project-one"
}
}
}
}
}
Creates an OAuth Authorization agent named MyOAuthAuthzAgent that
uses customization group company_authz to customize the OAuth
Authorization page.
The agent associates these scopes name, email, and domain and their
values to each access token because the first expression always
evaluates to true. The agent also associates scope project with
value project-one to the token if the user is testuser.
list oauth-authz
Displays a list of OAuth Authorization agents.
delete oauth-authz MyOAuthAuthzAgent
Deletes the OAuth Authorization agent named MyOAuthAuthzAgent.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
customization-group
Specifies the customization group that defines the appearance of
the OAuth Authorization page.
entries
Specifies a list of entries consisting of an expression and a list
of scope entries. If the expression evaluates to true, then the
OAuth Authorization agent associates the corresponding list of
scope entries to an issued token. Scope entries determine the
access control that the OAuth Authorization server requests on
behalf of the client application.
app-service
Specifies the name of the application service to which the
object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service
that owns the object, you cannot modify or delete the object.
Only the application service can modify or delete the object.
expression
Specifies the expression that you want an OAuth Authorization
agent to use to verify in order to associate the
corresponding scopes to an issued token. You can use the
following operators: AND, OR, NOT, (and).
scope-entries
Specifies a list of entries consisting of a scope name and
its value.
app-service
Specifies the name of the application service to which
the object belongs. The default value is none. Note: If
the strict-updates option is enabled on the application
service that owns the object, you cannot modify or
delete the object. Only the application service can
modify or delete the object.
scope-name
Specifies the name of the scope.
scope-value
Specifies a value to the corresponding scope. This value
can be any string or session variable.
[name]
Specifies the name of the OAuth Authorization agent. This setting
is required.
partition
Displays the partition within which the component resides.
prompt-for-authorization
Specifies whether the OAuth Authorization page, for user
authorization, is displayed. This is applicable only for
"Authorization code" and "Implicit" grants.
SEE ALSO
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2016. All rights reserved.
BIG-IP 2016-06-30 apm policy agent oauth-authz(1)