You can configure a BIG-IP® system with Access Policy Manager® (APM®) to act as an OAuth authorization server. OAuth client applications and resource servers can register to have APM authorize requests.
|Claim Type||Value can be|
|String||ASCII characters or session variable|
|Number||Valid number or session variable|
|Boolean||true, false, or session variable|
|Custom||Any other format not covered by the other options or session variable|
Access Policy Manager® (APM®) does not support automatic rotation of signing keys for JSON web tokens (JWTs). To configure signing keys, an administrator selects a primary key in the OAuth profile for authorization server configurations, and optionally, can specify rotation keys. To determine when to update the primary key and when to add or to update rotation keys, an administrator might consider factors such as when the certificates in the keys expire, and how long JWTs that use a particular key remain valid.
Access policy for APM as an OAuth authorization server
The Logon Page and OAuth Authorization agents are required in the access policy for Access Policy Manager® (APM®) to act as an OAuth authorization server. An authentication agent, such as AD Auth, is optional; if included in a policy, an authentication agent should be placed after the Logon Page and before the OAuth Authorization agent.
When Access Policy Manager® (APM®) is configured to act as an OAuth authorization server, an OAuth Authorization agent must be present in the access policy.
The OAuth Authorization agent provides these elements and options.
Specifies the audiences for the claims (for JSON web tokens).
Specifies the scopes or the claims for which authorization is requested. If no scopes or claims are specified here, the ones configured in APM for the client application are used.