apm oauth oauth-client-app
apm oauth oauth-client-app(1) BIG-IP TMSH Manual apm oauth oauth-client-app(1)
NAME
oauth-client-app - Manages client applications to use with OAuth Authorization Server.
MODULE
apm oauth
SYNTAX
Configure the oauth-client-app component within the oauth module using the following syntax.
CREATE/MODIFY
create oauth-client-app [name]
modify oauth-client-app [name]
options:
access-token-lifetime [integer]
app-description [[string] | none]
app-name [string]
app-service [[string] | none]
audience [add | delete | none | replace-all-with] {
[string]
}
auth-code-lifetime [integer]
auth-type [none | secret | certificate]
client-cert-dn [[string] | none]
contact [[string] | none]
customization-group [[string] | none]
generate-jwt-refresh-token [true | false]
generate-refresh-token [true | false]
grant-code [enabled | disabled]
grant-password [enabled | disabled]
grant-token [enabled | disabled]
id-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
id-token-lifetime [integer]
jwt-access-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
jwt-access-token-lifetime [integer]
jwt-refresh-token-lifetime [integer]
logo-url [[string] | none]
openid-connect [enabled | disabled]
redirect-uris [add | delete | none | replace-all-with] {
[URI]
}
refresh-token-lifetime [integer]
refresh-token-usage-limit [integer]
regenerate-client-secret
reuse-access-token [true | false]
reuse-refresh-token [true | false]
scopes [add | delete | replace-all-with] {
[scope-name]
}
use-profile-token-mgmt-settings [true | false]
userinfo-claims [add | delete | none | replace-all-with] {
[claim-name]
}
website-url [[string] | none]
edit oauth-client-app [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
DISPLAY
list oauth-client-app
list oauth-client-app [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth-client-app
show running-config oauth-client-app [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
DELETE
delete oauth-client-app [name]
DESCRIPTION
You can use the oauth-client-app component to register and manage client applications that will make protected
resource requests to the OAuth Authorization server on behalf of the resource owner and with its
authorization.
EXAMPLES
create oauth-client-app myClientApplication {
app-description "Test App is an application that tests all grant types."
app-name "Test App"
grant-code enabled
grant-password enabled
grant-token enabled
logo-url "https://abc.cloud.net/www/public/assets/images/logos/testapp.png"
redirect-uris add { https://vm1.lab.fp.f5net.com/oauth2/f5_test.php }
scopes add { scope1 scope2 }
website-url "https://www.test.com"
use-profile-token-mgmt-settings false
audience add { rs1 rs2 }
jwt-access-token-claims add { claim1 claim2 }
}
Creates a client application named myClientApplication that will use the generated client credentials to
send requests to this Authorization server. It can send token requests using any of the three supported
grant types (authorization code, resource owner password credentials or implicit) and uses the default
authentication type "secret".
The authorization server will use the configured redirect uri to re-direct back to the client. The client
application is associated with configured scopes named scope1 and scope2.
The authorization server will not use the token management settings from the profile, and hence it will
use the configured audience rs1 and rs2 and claim claim1 and claim2 values when a JWT access token is
returned to the client.
list oauth-client-app
Displays a list of registered client-apps.
delete oauth-client-app myClientApplication
Deletes the OAuth client application myClientApplication
OPTIONS
access-token-lifetime
Specifies the number of minutes for which the access token should be valid. The default is 5 minutes.
app-description
Specifies a user-defined description for the client-app. The default value is none.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
audience
Specifies the audience claim for which the JWT access token is intended. This is a list of values. Each
value in this list can be a string, URI, or session variable.
auth-code-lifetime
Specifies the number of minutes for which the authorization code should be valid. The default is 5
minutes.
auth-type
Specifies the authentication type the client will use when it makes requests to the Authorization Server.
The default value is secret and other possible values are none and certificate.
client-cert-dn
Specifies the distinguished name of the client certificate that is used to validate a request from client
when authentication type is set to certificate.
client-id
Specifies the client ID that uniquely identifies the client application. This field will be auto-
generated and should not be specified or modified. Also, this entry cannot be edited once it has been
generated.
client-secret
Specifies the client secret that is used to validate a request from client when authentication type is
set to secret. This field will be auto-generated and should not be specified or modified.
contact
Specifies a means to contact the developer of the client application.
customization-group
Specifies the customization settings for the client application.
generate-jwt-refresh-token
Specifies whether a refresh token should be generated along with the JWT access token. This is applicable
only for "Authorization Code" and "Resource Owner Password Credentials" grant types. The default is true.
generate-refresh-token
Specifies whether a refresh token should be generated along with the access token. This is applicable
only for "Authorization Code" and "Resource Owner Password Credentials" grant types.
grant-code
Specifies whether the client application will use the "authorization code" grant type. This grant type
must be enabled in order to support hybrid flow in OpenID Connect. The default value is disabled. At
least one grant type must be set to enabled.
grant-password
Specifies whether the client application will use the "resource owner password credentials" grant type.
The default value is disabled.
grant-token
Specifies whether the client application will use the "implicit" grant type. The default value is
disabled.
id-token-claims
Specifies the list of claims that are part of ID token.
id-token-lifetime
Specifies the number of minutes for which the ID token should be valid. The default is 5 minutes.
jwt-access-token-claims
Specifies the list of claims that are part of JWT access token.
jwt-access-token-lifetime
Specifies the number of minutes for which the JWT access token should be valid. The default is 5 minutes.
jwt-refresh-token-lifetime
Specifies the number of minutes for which the JWT refresh token should be valid. The default is 60
minutes.
logo-url
Specifies the path from which the logo of the client application can be displayed.
openid-connect
Specifies whether this client app supports OpenID Connect or not.
[name]
Specifies the name of the OAuth Client Application. This setting is required.
partition
Displays the partition within which the component resides.
redirect-uris
Specifies the list of re-direct URIs that the Authorization Server will use to re-direct back to the
client after processing a request. This setting should have at least one entry if the client application
uses the authorization code grant type or the implicit grant type.
refresh-token-lifetime
Specifies the number of minutes for which the refresh token should be valid. The default is 480 minutes.
refresh-token-usage-limit
Specifies the maximum number of times the access token can be obtained using the refresh token request.
The default value is 64. Value 0 represents unlimited number of times.
regenerate-client-secret
Indicates a request to regenerate the client secret. Do not use other means to modify the secret.
reuse-access-token
Specifies whether an access token is reused or a new access token is generated when it is obtained using
refresh token request. When the access token is reused, its expiry time is extended.
reuse-refresh-token
Specifies whether a refresh token is reused or a new refresh token is generated when it is obtained using
refresh token request.
scopes
Specifies the list of scopes that is to be associated with the client application.
use-profile-token-mgmt-settings
Specifies whether the default settings that come from OAuth profile must be used or not.
userinfo-claims
Specifies the list of claims that are part of UserInfo.
website-url
Specifies the website URL of the client application.
SEE ALSO
apm profile oauth
apm oauth oauth-scope
apm oauth oauth-claim
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2017. All rights reserved.
BIG-IP 2017-10-31 apm oauth oauth-client-app(1)