apm policy agent oauth-authz
apm policy agent oauth-authz(1) BIG-IP TMSH Manual apm policy agent oauth-authz(1)
NAME
oauth-authz - Manages an OAuth Authorization agent.
MODULE
apm policy agent
SYNTAX
Configure the oauth-authz component within the policy agent module using the following syntax.
CREATE/MODIFY
create oauth-authz [name]
modify oauth-authz [name]
options
app-service [[string] | none]
audience ( | none) [add | delete]
customization-group [[string] | none]
entries [ add | delete | modify | none | replace-all-with] {
[entry-name] {
options:
app-service [[string] | none]
expression [[string] | none]
id-token-claim-entries [add | delete | modify | none | replace-all-with] {
[id-token-claim-entry-name] {
options:
app-service [[string] | none]
claim-name [claim-name]
claim-value [[string] | none]
}
}
jwt-access-token-claim-entries [add | delete | modify | none | replace-all-with] {
[jwt-access-token-claim-entry-name] {
options:
app-service [[string] | none]
claim-name [claim-name]
claim-value [[string] | none]
}
}
scope-entries [add | delete | modify | none | replace-all-with] {
[scope-entry-name] {
options:
app-service [[string] | none]
scope-name [scope-name]
scope-value [[string] | none]
}
}
userinfo-claim-entries [add | delete | modify | none | replace-all-with] {
[userinfo-claim-entry-name] {
options:
app-service [[string] | none]
claim-name [claim-name]
claim-value [[string] | none]
}
}
}
}
prompt-for-authorization [true | false]
subject [[string] | none]
edit oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list oauth-authz
list oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth-authz
show running-config oauth-authz [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
app-service
customization-group
entries
non-default-properties
one-line
partition
prompt-for-authorization
recursive
DELETE
delete oauth-authz [name]
DESCRIPTION
You can use the oauth-authz component to create and manage an OAuth Authorization agent that provides OAuth
Authorization server functionality, and also manage scopes and claims to provide different level of access
control based on end user's role or any other criteria. For JWT type tokens, you can use the agent to manage
audience and subject values.
EXAMPLES
create oauth-authz MyOAuthAuthzAgent {
audience add { "company-oauth-rs.com" "partner-oauth-rs.com" }
customization-group "company_authz"
entries add {
0 {
expression "expr {return true}"
id-token-claim-entries add {
0 {
claim-name "group"
claim-value "%{session.ad.last.attr.memberOf}"
}
}
jwt-access-token-claim-entries add {
0 {
claim-name "group"
claim-value "%{session.ad.last.attr.memberOf}"
}
1 {
claim-name "profile"
claim-value "https://company.com/username"
}
}
userinfo-claim-entries add {
0 {
claim-name "profile"
claim-value "https://company.com/username"
}
}
scope-entries add {
0 {
scope-name "name"
scope-value "%{session.logon.last.name}"
}
1 {
scope-name "email"
scope-value "test@company.com"
}
2 {
scope-name "domain"
scope-value "%{session.logon.last.domain}"
}
}
}
1 {
expression "expr {[mcget {session.logon.last.name}] == "testuser"}"
jwt-access-token-claim-entries add {
0 {
claim-name "service"
claim-value "medium"
}
}
scope-entries add {
0 {
scope-name "project"
scope-value "project-one"
}
}
}
}
subject "%{session.assigned.uuid}"
}
Creates an OAuth Authorization agent named MyOAuthAuthzAgent that uses customization group company_authz
to customize the OAuth Authorization page.
The agent associates these scopes name, email, and domain and their values to each access token because
the first expression always evaluates to true. If an id_token is issued, it contains claim group. If the
token type issued is JWT, each access token also includes claims group and profile and the UserInfo
response will contain claim profile. The agent also associates scope project with value project-one to the
token if the user is testuser. If JWT access token is issued to user testuser, it will contain claim
service with value medium.
The agent additionally includes audience containing values company-oauth-rs.com and partner-oauth-rs.com
along with subject and its value if the token issued is a JWT access token.
list oauth-authz
Displays a list of OAuth Authorization agents.
delete oauth-authz MyOAuthAuthzAgent
Deletes the OAuth Authorization agent named MyOAuthAuthzAgent.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
audience
Specifies a list of audience values used in JWT tokens issued. If audience list is specified in the OAuth
Authorization agent, it overwrites the values in OAuth profile and OAuth client app.
customization-group
Specifies the customization group that defines the appearance of the OAuth Authorization page.
entries
Specifies a list of entries consisting of an expression and a list of scope entries. If the expression
evaluates to true, then the OAuth Authorization agent associates the corresponding list of scope entries
to an issued token. Scope entries determine the access control that the OAuth Authorization server
requests on behalf of the client application.
app-service
Specifies the name of the application service to which the object belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application service can modify or delete the
object.
expression
Specifies the expression that you want an OAuth Authorization agent to use to verify in order to
associate the corresponding scopes to an issued token. You can use the following operators: AND, OR,
NOT, (and).
id-token-claim-entries
Specifies a list of entries consisting of an ID token claim name and its value.
app-service
Specifies the name of the application service to which the object belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the
object, you cannot modify or delete the object. Only the application service can modify or
delete the object.
claim-name
Specifies the name of the claim.
claim-value
Specifies a value to the corresponding claim. This value can be any string or session variable.
jwt-access-token-claim-entries
Specifies a list of entries consisting of a JWT access-token claim name and its value.
app-service
Specifies the name of the application service to which the object belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the
object, you cannot modify or delete the object. Only the application service can modify or
delete the object.
claim-name
Specifies the name of the claim.
claim-value
Specifies a value to the corresponding claim. This value can be any string or session variable.
scope-entries
Specifies a list of entries consisting of a scope name and its value.
app-service
Specifies the name of the application service to which the object belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the
object, you cannot modify or delete the object. Only the application service can modify or
delete the object.
scope-name
Specifies the name of the scope.
scope-value
Specifies a value to the corresponding scope. This value can be any string or session variable.
userinfo-claim-entries
Specifies a list of entries consisting of a UserInfo claim name and its value.
app-service
Specifies the name of the application service to which the object belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the
object, you cannot modify or delete the object. Only the application service can modify or
delete the object.
claim-name
Specifies the name of the claim.
claim-value
Specifies a value to the corresponding claim. This value can be any string or session variable.
[name]
Specifies the name of the OAuth Authorization agent. This setting is required.
partition
Displays the partition within which the component resides.
prompt-for-authorization
Specifies whether the OAuth Authorization page, for user authorization, is displayed. This is applicable
only for "Authorization code" and "Implicit" grants.
subject
Specifies the value of subject in JWT tokens issued. If subject is specified in the OAuth Authorization
agent, it overwrites the the value specified in the OAuth profile.
SEE ALSO
apm oauth oauth-scope apm oauth oauth-claim
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2017. All rights reserved.
BIG-IP 2017-10-20 apm policy agent oauth-authz(1)