apm profile oauth
apm profile oauth(1) BIG-IP TMSH Manual apm profile oauth(1)
NAME
oauth - Configures an oauth profile.
MODULE
apm profile
SYNTAX
Configure the oauth component within the profile module using the
syntax shown in the following sections.
CREATE/MODIFY
create oauth [name]
modify oauth [name]
options:
access-token-lifetime [integer]
app-service [[string] | none]
audience [add | delete | none | replace-all-with] {
[string]
}
auth-code-lifetime [integer]
auth-url [string]
client-apps [add | delete | replace-all-with] {
[client-app-name]
}
db-instance [db-instance-name]
defaults-from [[string] | none]
generate-jwt-refresh-token [true | false]
generate-refresh-token [true | false]
id-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
id-token-lifetime [integer]
id-token-primary-key [jwk-config-name]
ignore-expired-cert [true | false]
issuer [string]
jwks-url [string]
jwt-access-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
jwt-access-token-lifetime [integer]
jwt-ec-signature-format [binary | der]
jwt-refresh-token-enc-secret [string]
jwt-refresh-token-lifetime [integer]
jwt-token [enabled | disabled]
opaque-token [enabled | disabled]
openid-cfg-url [string]
openid-connect [enabled | disabled]
per-user-token-limit [integer]
primary-key [jwk-config-name]
refresh-token-lifetime [integer]
refresh-token-usage-limit [integer]
resource-servers [add | delete | replace-all-with] {
[resource-server-name]
}
reuse-access-token [true | false]
reuse-refresh-token [true | false]
rotation-keys [add | delete | none | replace-all-with] {
[jwk-config-name]
}
subject [[string] | none]
token-introspection-url [string]
token-issuance-url [string]
token-revocation-url [string]
trusted-ca-bundle [certificate-file-object-name]
userinfo-claims [add | delete | none | replace-all-with] {
[claim-name]
}
userinfo-primary-key [jwk-config-name]
userinfo-url [string]
edit oauth [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list oauth
list oauth [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth
show running-config oauth [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
show oauth
show oauth [name]
DELETE
delete oauth [name]
DESCRIPTION
You can use the oauth component to configure an oauth profile. An oauth
profile is a pre-configured group of settings that you can use to
configure OAuth Authorization Server.
NOTE: For the oauth profile to take effect, this profile must be
associated with an access profile. (See man page for apm access
profile.)
EXAMPLES
create oauth myOAuthProfile {
defaults-from oauth
client-apps add { client_1 client_2}
resource-servers add { rs_1 rs_2}
opaque-token enabled
db-instance db_test
jwt-token enabled
openid-connect enabled
issuer https://example.f5.com
primary-key jwk1_hs256
id-token-primary-key jwk1_rs256
generate-jwt-refresh-token true
jwt-refresh-token-enc-secret password
auth-url /f5-oauth2/v1/authorize
token-issuance-url /f5-oauth2/v1/token
token-revocation-url /f5-oauth2/v1/revoke
token-introspection-url /f5-oauth2/v1/introspect
openid-cfg-url /f5-oauth2/v1/.well-known/openid-configuration
jwks-url /f5-oauth2/v1/jwks
userinfo-url /f5-oauth2/v1/userinfo
}
Creates an oauth profile named myOAuthProfile that is based on the
default oauth profile named oauth. The profile serves OAuth
requests from client applications named client_1 and client_2 and
resource servers named rs_1 and rs_2.
The profile is configured to generate both Opaque and JWT access
tokens. For Opaque access token, it uses db instance named
db_test. For JWT access token, it uses issuer named
https://example.f5.com, primary key named jwk1_hs256 to sign JWT
tokens and JWT refresh token encryption secret named password for
encryption of refresh token generated with the JWT access token.
The profile also supports OpenID Connect. It uses key named
jwk1_rs256 to sign ID Tokens.
It uses /f5_oauth2/v1/authorize as the authorization endpoint,
/f5-oauth2/v1/token as token issuance endpoint,
/f5-oauth2/v1/revoke as revocation endpoint,
/f5-oauth2/v1/introspect as token introspection endpoint for
validating Opaque tokens,
/f5-oauth2/v1/.well-known/openid-configuration as OpenID Connect
metadata configuration endpoint, /f5-oauth2/v1/jwks as JWKS
endpoint and /f5-oauth2/v1/userinfo as UserInfo endpoint.
list oauth all all-properties
Displays a list of oauth profiles, including parameter values.
delete oauth myOAuthProfile
Deletes the oauth profile named myOAuthProfile.
OPTIONS
access-token-lifetime
Specifies the number of minutes for which the access token should
be valid. The default is 5 minutes.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
audience
Specifies the audience claim for which the JWT access token is
intended. This is a list of values. Each value in this list can be
a string, URI, or session variable.
auth-code-lifetime
Specifies the number of minutes for which the authorization code
should be valid. The default is 5 minutes.
auth-url
Specifies the path of the authorization endpoint that is used to
authenticate the resource owner and provide the authorization
code. The default is /f5-oauth2/v1/authorize.
client-apps
Specifies the list of client applications that is served by the
OAuth Authorization Server associated with this profile.
db-instance
Specifies the db instance that is used to store tokens generated
by the OAuth Authorization Server that is associated with this
profile.
defaults-from
Specifies the default oauth profile from which this profile is
created. The default is oauth.
generate-jwt-refresh-token
Specifies whether a refresh token should be generated along with
the JWT access token. This is applicable only for "Authorization
Code" and "Resource Owner Password Credentials" grant types. The
default is true.
generate-refresh-token
Specifies whether a refresh token should be generated along with
the access token. This is applicable only for "Authorization Code"
and "Resource Owner Password Credentials" grant types.
id-token-claims
Specifies the list of claims that are part of ID token.
id-token-lifetime
Specifies the number of minutes for which the ID token should be
valid. The default is 5 minutes.
id-token-primary-key
Specifies the JWK config that is used to retrieve the shared key
(symmetric) or private key (asymmetric) used to sign ID token. If
the key is asymmetric, the configured public key will be returned
as part of JWKS URL response.
ignore-expired-cert
Specifies whether to ignore the expiry of the certificate used for
signing JWT access token. If this value is true, then the
certificate will be used for signing JWT access token even if it
is expired. The default is false.
issuer
Specifies the issuer claim that is part of JWT access token. This
value must be a URI.
jwks-url
Specifies the path of the JWKS endpoint that returns public
signing keys. These keys are used by OAuth Resource Servers to
verify the digital signature of JWT access token. The default is
/f5-oauth2/v1/jwks.
jwt-access-token-claims
Specifies the list of claims that are part of JWT access token.
jwt-access-token-lifetime
Specifies the number of minutes for which the JWT access token
should be valid. The default is 5 minutes.
jwt-ec-signature-format
Specifies the JWT token signature format for Elliptic Curve. The
default is binary format.
jwt-refresh-token-enc-secret
Specifies the JWT refresh token encryption secret that is used to
generate an encryption key. This key is used to encrypt the
refresh token when JWT token is enabled.
jwt-refresh-token-lifetime
Specifies the number of minutes for which the JWT refresh token
should be valid. The default is 60 minutes.
jwt-token
Specifies whether JWT access token should be generated. The
default is false.
opaque-token
Specifies whether opaque (non-JWT) access token should be
generated. The default is true.
openid-cfg-url
Specifies the path of OpenID Connect endpoint that returns OpenID
Connect configuration. The default is
/f5-oauth2/v1/.well-known/openid-configuration.
openid-connect
Specifies whether this OAuth profile supports OpenID connect or
not.
per-user-token-limit
Specifies the maximum number of active access tokens that can be
generated for a user. The default is 255. The range is 0 to 5000.
primary-key
Specifies the JWK config that is used to retrieve the shared key
(symmetric) or private key (asymmetric) used to sign JWT access
token. If the key is asymmetric, the configured public key will be
returned as part of JWKS URL response.
refresh-token-lifetime
Specifies the number of minutes for which the refresh token should
be valid. The default is 480 minutes.
refresh-token-usage-limit
Specifies the maximum number of times the access token can be
obtained using the refresh token request. The default value is 0,
which represents unlimited number of times.
resource-servers
Specifies the list of resource servers that is served by the OAuth
Authorization Server that is associated with this profile.
reuse-access-token
Specifies whether an access token is reused or a new access token
is generated when it is obtained using refresh token request. When
the access token is reused, its expiry time is extended.
reuse-refresh-token
Specifies whether a refresh token is reused or a new refresh token
is generated when it is obtained using refresh token request.
rotation-keys
Specifies one or more JWK configs that contain public keys used as
rotation keys. The public keys derived from this set will be
returned as part of JWKS URL response.
subject
Specifies the subject claim that is part of JWT access token. This
value can be a string, URI, or session variable. The default is
%{session.assigned.uuid}
token-issuance-url
Specifies the path of token issuance endpoint that is used to
issue an access token and possibly a refresh token. The default is
/f5-oauth2/v1/token.
token-revocation-url
Specifies the path of token revocation endpoint that is used to
revoke an access token or a refresh token. The default is
/f5-oauth2/v1/revoke.
token-introspection-url
Specifies the path of token introspection endpoint that is used to
introspect an access token. The default is
/f5-oauth2/v1/introspect.
trusted-ca-bundle
Specifies the trusted ca bundle that is used during verification
of JWK config specified in primary-key that uses asymmetric key.
userinfo-claims
Specifies the list of claims that are part of UserInfo.
userinfo-primary-key
Specifies the JWK config that is used to retrieve the shared key
(symmetric) or private key (asymmetric) used to sign UserInfo. If
the key is asymmetric, the configured public key will be returned
as part of JWKS URL response.
userinfo-url
Specifies the path of userinfo endpoint that is used to obtain
claims about the authenticated end-user. The default is
/f5-oauth2/v1/userinfo.
SEE ALSO
apm oauth, apm policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2017. All rights reserved.
BIG-IP 2017-10-18 apm profile oauth(1)