apm profile oauth
apm profile oauth(1) BIG-IP TMSH Manual apm profile oauth(1)
NAME
oauth - Configures an oauth profile.
MODULE
apm profile
SYNTAX
Configure the oauth component within the profile module using the syntax shown in the following sections.
CREATE/MODIFY
create oauth [name]
modify oauth [name]
options:
access-token-lifetime [integer]
app-service [[string] | none]
audience [add | delete | none | replace-all-with] {
[string]
}
auth-code-lifetime [integer]
auth-url [string]
client-apps [add | delete | replace-all-with] {
[client-app-name]
}
db-instance [db-instance-name]
defaults-from [[string] | none]
generate-jwt-refresh-token [true | false]
generate-refresh-token [true | false]
id-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
id-token-lifetime [integer]
id-token-primary-key [jwk-config-name]
ignore-expired-cert [true | false]
issuer [string]
jwks-url [string]
jwt-access-token-claims [add | delete | none | replace-all-with] {
[claim-name]
}
jwt-access-token-lifetime [integer]
jwt-ec-signature-format [binary | der]
jwt-refresh-token-enc-secret [string]
jwt-refresh-token-lifetime [integer]
jwt-token [enabled | disabled]
opaque-token [enabled | disabled]
openid-cfg-url [string]
openid-connect [enabled | disabled]
per-user-token-limit [integer]
primary-key [jwk-config-name]
refresh-token-lifetime [integer]
refresh-token-usage-limit [integer]
resource-servers [add | delete | replace-all-with] {
[resource-server-name]
}
reuse-access-token [true | false]
reuse-refresh-token [true | false]
rotation-keys [add | delete | none | replace-all-with] {
[jwk-config-name]
}
subject [[string] | none]
token-introspection-url [string]
token-issuance-url [string]
token-revocation-url [string]
trusted-ca-bundle [certificate-file-object-name]
userinfo-claims [add | delete | none | replace-all-with] {
[claim-name]
}
userinfo-primary-key [jwk-config-name]
userinfo-url [string]
edit oauth [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list oauth
list oauth [ [ [name] | [glob] | [regex] ] ... ]
show running-config oauth
show running-config oauth [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
show oauth
show oauth [name]
DELETE
delete oauth [name]
DESCRIPTION
You can use the oauth component to configure an oauth profile. An oauth profile is a pre-configured group of
settings that you can use to configure OAuth Authorization Server.
NOTE: For the oauth profile to take effect, this profile must be associated with an access profile. (See man
page for apm access profile.)
EXAMPLES
create oauth myOAuthProfile {
defaults-from oauth
client-apps add { client_1 client_2}
resource-servers add { rs_1 rs_2}
opaque-token enabled
db-instance db_test
jwt-token enabled
openid-connect enabled
issuer https://example.f5.com
primary-key jwk1_hs256
id-token-primary-key jwk1_rs256
generate-jwt-refresh-token true
jwt-refresh-token-enc-secret password
auth-url /f5-oauth2/v1/authorize
token-issuance-url /f5-oauth2/v1/token
token-revocation-url /f5-oauth2/v1/revoke
token-introspection-url /f5-oauth2/v1/introspect
openid-cfg-url /f5-oauth2/v1/.well-known/openid-configuration
jwks-url /f5-oauth2/v1/jwks
userinfo-url /f5-oauth2/v1/userinfo
}
Creates an oauth profile named myOAuthProfile that is based on the default oauth profile named oauth. The
profile serves OAuth requests from client applications named client_1 and client_2 and resource servers
named rs_1 and rs_2.
The profile is configured to generate both Opaque and JWT access tokens. For Opaque access token, it uses
db instance named db_test. For JWT access token, it uses issuer named https://example.f5.com, primary key
named jwk1_hs256 to sign JWT tokens and JWT refresh token encryption secret named password for encryption
of refresh token generated with the JWT access token. The profile also supports OpenID Connect. It uses
key named jwk1_rs256 to sign ID Tokens.
It uses /f5_oauth2/v1/authorize as the authorization endpoint, /f5-oauth2/v1/token as token issuance
endpoint, /f5-oauth2/v1/revoke as revocation endpoint, /f5-oauth2/v1/introspect as token introspection
endpoint for validating Opaque tokens, /f5-oauth2/v1/.well-known/openid-configuration as OpenID Connect
metadata configuration endpoint, /f5-oauth2/v1/jwks as JWKS endpoint and /f5-oauth2/v1/userinfo as
UserInfo endpoint.
list oauth all all-properties
Displays a list of oauth profiles, including parameter values.
delete oauth myOAuthProfile
Deletes the oauth profile named myOAuthProfile.
OPTIONS
access-token-lifetime
Specifies the number of minutes for which the access token should be valid. The default is 5 minutes.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
audience
Specifies the audience claim for which the JWT access token is intended. This is a list of values. Each
value in this list can be a string, URI, or session variable.
auth-code-lifetime
Specifies the number of minutes for which the authorization code should be valid. The default is 5
minutes.
auth-url
Specifies the path of the authorization endpoint that is used to authenticate the resource owner and
provide the authorization code. The default is /f5-oauth2/v1/authorize.
client-apps
Specifies the list of client applications that is served by the OAuth Authorization Server associated
with this profile.
db-instance
Specifies the db instance that is used to store tokens generated by the OAuth Authorization Server that
is associated with this profile.
defaults-from
Specifies the default oauth profile from which this profile is created. The default is oauth.
generate-jwt-refresh-token
Specifies whether a refresh token should be generated along with the JWT access token. This is applicable
only for "Authorization Code" and "Resource Owner Password Credentials" grant types. The default is true.
generate-refresh-token
Specifies whether a refresh token should be generated along with the access token. This is applicable
only for "Authorization Code" and "Resource Owner Password Credentials" grant types.
id-token-claims
Specifies the list of claims that are part of ID token.
id-token-lifetime
Specifies the number of minutes for which the ID token should be valid. The default is 5 minutes.
id-token-primary-key
Specifies the JWK config that is used to retrieve the shared key (symmetric) or private key (asymmetric)
used to sign ID token. If the key is asymmetric, the configured public key will be returned as part of
JWKS URL response.
ignore-expired-cert
Specifies whether to ignore the expiry of the certificate used for signing JWT access token. If this
value is true, then the certificate will be used for signing JWT access token even if it is expired. The
default is false.
issuer
Specifies the issuer claim that is part of JWT access token. This value must be a URI.
jwks-url
Specifies the path of the JWKS endpoint that returns public signing keys. These keys are used by OAuth
Resource Servers to verify the digital signature of JWT access token. The default is /f5-oauth2/v1/jwks.
jwt-access-token-claims
Specifies the list of claims that are part of JWT access token.
jwt-access-token-lifetime
Specifies the number of minutes for which the JWT access token should be valid. The default is 5 minutes.
jwt-ec-signature-format
Specifies the JWT token signature format for Elliptic Curve. The default is binary format.
jwt-refresh-token-enc-secret
Specifies the JWT refresh token encryption secret that is used to generate an encryption key. This key is
used to encrypt the refresh token when JWT token is enabled.
jwt-refresh-token-lifetime
Specifies the number of minutes for which the JWT refresh token should be valid. The default is 60
minutes.
jwt-token
Specifies whether JWT access token should be generated. The default is false.
opaque-token
Specifies whether opaque (non-JWT) access token should be generated. The default is true.
openid-cfg-url
Specifies the path of OpenID Connect endpoint that returns OpenID Connect configuration. The default is
/f5-oauth2/v1/.well-known/openid-configuration.
openid-connect
Specifies whether this OAuth profile supports OpenID connect or not.
per-user-token-limit
Specifies the maximum number of active access tokens that can be generated for a user. The default is
255. The range is 0 to 5000.
primary-key
Specifies the JWK config that is used to retrieve the shared key (symmetric) or private key (asymmetric)
used to sign JWT access token. If the key is asymmetric, the configured public key will be returned as
part of JWKS URL response.
refresh-token-lifetime
Specifies the number of minutes for which the refresh token should be valid. The default is 480 minutes.
refresh-token-usage-limit
Specifies the maximum number of times the access token can be obtained using the refresh token request.
The default value is 0, which represents unlimited number of times.
resource-servers
Specifies the list of resource servers that is served by the OAuth Authorization Server that is
associated with this profile.
reuse-access-token
Specifies whether an access token is reused or a new access token is generated when it is obtained using
refresh token request. When the access token is reused, its expiry time is extended.
reuse-refresh-token
Specifies whether a refresh token is reused or a new refresh token is generated when it is obtained using
refresh token request.
rotation-keys
Specifies one or more JWK configs that contain public keys used as rotation keys. The public keys derived
from this set will be returned as part of JWKS URL response.
subject
Specifies the subject claim that is part of JWT access token. This value can be a string, URI, or session
variable. The default is %{session.assigned.uuid}
token-issuance-url
Specifies the path of token issuance endpoint that is used to issue an access token and possibly a
refresh token. The default is /f5-oauth2/v1/token.
token-revocation-url
Specifies the path of token revocation endpoint that is used to revoke an access token or a refresh
token. The default is /f5-oauth2/v1/revoke.
token-introspection-url
Specifies the path of token introspection endpoint that is used to introspect an access token. The
default is /f5-oauth2/v1/introspect.
trusted-ca-bundle
Specifies the trusted ca bundle that is used during verification of JWK config specified in primary-key
that uses asymmetric key.
userinfo-claims
Specifies the list of claims that are part of UserInfo.
userinfo-primary-key
Specifies the JWK config that is used to retrieve the shared key (symmetric) or private key (asymmetric)
used to sign UserInfo. If the key is asymmetric, the configured public key will be returned as part of
JWKS URL response.
userinfo-url
Specifies the path of userinfo endpoint that is used to obtain claims about the authenticated end-user.
The default is /f5-oauth2/v1/userinfo.
SEE ALSO
apm oauth, apm policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2015-2017. All rights reserved.
BIG-IP 2017-10-18 apm profile oauth(1)