APM in OAuth roles in the network
On a single BIG-IP® system, Access Policy Manager® (APM®) can be configured to act as an OAuth 2.0 client and resource server, or to act as an OAuth 2.0 authorization server, or to act as both.
OAuth 2.0 specification RFC 6749 defines the roles in this table.
|resource owner||Can grant access to a protected resource. A resource owner can be an end-user (person) or another entity.|
|resource server||Hosts protected resources, and can accept and respond to requests for protected resources using access tokens.|
|client||Makes requests for protected resources on behalf of, and with authorization from, the resource owner. The client is an application.|
|authorization server||Issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.|
When Access Policy Manager® (APM®) acts as an OAuth resource server, users can log on using external OAuth accounts to gain access to the resources that APM protects. External OAuth accounts can be social accounts, such as Facebook and Google, or enterprise accounts, such as F5 (APM) and Ping Identity (PingFederate).
In this configuration, APM becomes a client application to an external OAuth authorization server, such as F5, on another BIG-IP® system, or Google.
When Access Policy Manager® (APM®) acts as an OAuth authorization server, APM can grant authorization codes, access tokens, and refresh tokens, and APM can perform token introspection.