apm policy agent oauth-authz
apm policy agent oauth-authz(1BIG-IP TMSH Manuaapm policy agent oauth-authz(1)
NAME
oauth-authz - Manages an OAuth Authorization agent.
MODULE
apm policy agent
SYNTAX
Configure the oauth-authz component within the policy agent module
using the following syntax.
CREATE/MODIFY
create oauth-authz [name]
modify oauth-authz [name]
options
app-service [[string] | none]
audience ( | none) [add | delete]
customization-group [[string] | none]
entries [ add | delete | modify | none | replace-all-with] {
[entry-name] {
options:
app-service [[string] | none]
expression [[string] | none]
id-token-claim-entries [add | delete | modify | none | replace-all-with] {
[id-token-claim-entry-name] {
options:
app-service [[string] | none]
claim-name [claim-name]
claim-value [[string] | none]
}
}
jwt-access-token-claim-entries [add | delete | modify | none | replace-all-with] {
[jwt-access-token-claim-entry-name] {
options:
app-service [[string] | none]
claim-name [claim-name]
claim-value [[string] | none]
}
}
scope-entries [add | delete | modify | none | replace-all-with] {
[scope-entry-name] {
options:
app-service [[string] | none]
scope-name [scope-name]
scope-value [[string] | none]
}
}
userinfo-claim-entries [add | delete | modify | none | replace-all-with] {
[userinfo-claim-entry-name] {
options:
app-service [[string] | none]
claim-name [claim-name]
claim-value [[string] | none]
}
}
}
}
prompt-for-authorization [true | false]
subject [[string] | none]
edit oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list oauth-authz
list oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth-authz
show running-config oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
app-service
customization-group
entries
non-default-properties
one-line
partition
prompt-for-authorization
recursive
DELETE
delete oauth-authz [name]
DESCRIPTION
You can use the oauth-authz component to create and manage an OAuth
Authorization agent that provides OAuth Authorization server
functionality, and also manage scopes and claims to provide different
level of access control based on end user's role or any other criteria.
For JWT type tokens, you can use the agent to manage audience and
subject values.
EXAMPLES
create oauth-authz MyOAuthAuthzAgent {
audience add { "company-oauth-rs.com" "partner-oauth-rs.com" }
customization-group "company_authz"
entries add {
0 {
expression "expr {return true}"
id-token-claim-entries add {
0 {
claim-name "group"
claim-value "%{session.ad.last.attr.memberOf}"
}
}
jwt-access-token-claim-entries add {
0 {
claim-name "group"
claim-value "%{session.ad.last.attr.memberOf}"
}
1 {
claim-name "profile"
claim-value "https://company.com/username"
}
}
userinfo-claim-entries add {
0 {
claim-name "profile"
claim-value "https://company.com/username"
}
}
scope-entries add {
0 {
scope-name "name"
scope-value "%{session.logon.last.name}"
}
1 {
scope-name "email"
scope-value "test@company.com"
}
2 {
scope-name "domain"
scope-value "%{session.logon.last.domain}"
}
}
}
1 {
expression "expr {[mcget {session.logon.last.name}] == "testuser"}"
jwt-access-token-claim-entries add {
0 {
claim-name "service"
claim-value "medium"
}
}
scope-entries add {
0 {
scope-name "project"
scope-value "project-one"
}
}
}
}
subject "%{session.assigned.uuid}"
}
Creates an OAuth Authorization agent named MyOAuthAuthzAgent that
uses customization group company_authz to customize the OAuth
Authorization page.
The agent associates these scopes name, email, and domain and their
values to each access token because the first expression always
evaluates to true. If an id_token is issued, it contains claim
group. If the token type issued is JWT, each access token also
includes claims group and profile and the UserInfo response will
contain claim profile. The agent also associates scope project with
value project-one to the token if the user is testuser. If JWT
access token is issued to user testuser, it will contain claim
service with value medium.
The agent additionally includes audience containing values
company-oauth-rs.com and partner-oauth-rs.com along with subject
and its value if the token issued is a JWT access token.
list oauth-authz
Displays a list of OAuth Authorization agents.
delete oauth-authz MyOAuthAuthzAgent
Deletes the OAuth Authorization agent named MyOAuthAuthzAgent.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
audience
Specifies a list of audience values used in JWT tokens issued. If
audience list is specified in the OAuth Authorization agent, it
overwrites the values in OAuth profile and OAuth client app.
customization-group
Specifies the customization group that defines the appearance of
the OAuth Authorization page.
entries
Specifies a list of entries consisting of an expression and a list
of scope entries. If the expression evaluates to true, then the
OAuth Authorization agent associates the corresponding list of
scope entries to an issued token. Scope entries determine the
access control that the OAuth Authorization server requests on
behalf of the client application.
app-service
Specifies the name of the application service to which the
object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service
that owns the object, you cannot modify or delete the object.
Only the application service can modify or delete the object.
expression
Specifies the expression that you want an OAuth Authorization
agent to use to verify in order to associate the
corresponding scopes to an issued token. You can use the
following operators: AND, OR, NOT, (and).
id-token-claim-entries
Specifies a list of entries consisting of an ID token claim
name and its value.
app-service
Specifies the name of the application service to which
the object belongs. The default value is none. Note: If
the strict-updates option is enabled on the application
service that owns the object, you cannot modify or
delete the object. Only the application service can
modify or delete the object.
claim-name
Specifies the name of the claim.
claim-value
Specifies a value to the corresponding claim. This value
can be any string or session variable.
jwt-access-token-claim-entries
Specifies a list of entries consisting of a JWT access-token
claim name and its value.
app-service
Specifies the name of the application service to which
the object belongs. The default value is none. Note: If
the strict-updates option is enabled on the application
service that owns the object, you cannot modify or
delete the object. Only the application service can
modify or delete the object.
claim-name
Specifies the name of the claim.
claim-value
Specifies a value to the corresponding claim. This value
can be any string or session variable.
scope-entries
Specifies a list of entries consisting of a scope name and
its value.
app-service
Specifies the name of the application service to which
the object belongs. The default value is none. Note: If
the strict-updates option is enabled on the application
service that owns the object, you cannot modify or
delete the object. Only the application service can
modify or delete the object.
scope-name
Specifies the name of the scope.
scope-value
Specifies a value to the corresponding scope. This value
can be any string or session variable.
userinfo-claim-entries
Specifies a list of entries consisting of a UserInfo claim
name and its value.
app-service
Specifies the name of the application service to which
the object belongs. The default value is none. Note: If
the strict-updates option is enabled on the application
service that owns the object, you cannot modify or
delete the object. Only the application service can
modify or delete the object.
claim-name
Specifies the name of the claim.
claim-value
Specifies a value to the corresponding claim. This value
can be any string or session variable.
[name]
Specifies the name of the OAuth Authorization agent. This setting
is required.
partition
Displays the partition within which the component resides.
prompt-for-authorization
Specifies whether the OAuth Authorization page, for user
authorization, is displayed. This is applicable only for
"Authorization code" and "Implicit" grants.
subject
Specifies the value of subject in JWT tokens issued. If subject is
specified in the OAuth Authorization agent, it overwrites the the
value specified in the OAuth profile.
SEE ALSO
apm oauth oauth-scope apm oauth oauth-claim
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2017. All rights reserved.
BIG-IP 2017-10-20 apm policy agent oauth-authz(1)