Fortinet black logo

CLI Reference

config user oauth

config user oauth

Use this command to configure the OAuth policy for OAuth 2.0 authentication.

Syntax

config user oauth

edit <name>

set auth-url <string>

set token-url <string>

set client-id <string>

set client-secret <string>

set http-method {GET|POST}

set redirect-url <string>

set relay-mode {enable|disable}

set include-granted-scopes {true|false}

set prompt {disable|none|consent|select_account}

set token-timeout <integer>

set scope-logout-url /logout

config scope-list

edit 1

set scope-url <string>

next

end

next

end

CLI Parameter

Description

auth-url

The URL of the authorization server.

token-url

The URL of the token server

client-id

The client ID for your application.

client-secret

The secret used to apply for the access token.

http-method

The HTTP method used for the OAuth transaction.

Select from the following values:

  • POST

  • GET

redirect-url

The URL of the redirected server.

relay-mode

Enable/disable relay mode allows FortiADC to add an Authorization Header to the HTTP request after verifying the token.

include-granted-scopes

Select from the following values:

  • true

  • false

  • none

This enables applications to use incremental authorization to request access to additional scopes in context.

If you set this parameter's value to true and the authorization request is granted, then the new access token will also cover any scopes to which the user previously granted the application access.

prompt

A space-delimited, case-sensitive list of prompts to present the user. If you do not specify this parameter, the user will only be prompted the first time your project requests access.

Possible values are:

  • disable — Disable prompts.

  • none — Do not display any authentication or consent screens.

  • consent — Prompt the user for consent.

  • select_account — Prompt the user to select an account.

token-timeout

The amount of time in seconds the token will be valid. (Range: 120-86,400, default = 3600).

The client will not be allowed to access the scope after this time has elapsed.

scope-logout-url

Access to this URL will trigger a logout event. FortiADC will delete the cookie, so in the next access you will need to repeat the OAuth setup process.

scope-list

A space-delimited list of scopes that identify the resources that your application could access on the user's behalf. These values inform the consent screen that the resource server displays to the user.

Scopes enable your application to only request access to the resources that it needs while also enabling users to control the amount of access that they grant to your application. This results in an inverse relationship between the number of scopes requested and the likelihood of obtaining user consent.

scope-url

This URL specifies the location of the resource that your application could access on the user's behalf and will be shown to the user to obtain their consent when they access the resource server.

The relative path of a URL is permitted.

Example

config user oauth

edit "oauth"

set auth-url https://accounts.google.com/o/oauth2/v2/auth

set token-url https://www.googleapis.com/oauth2/v4/token

set client-id 49178883990-conasjq8hiero0rtc5olhk7c5719i36i.apps.googleusercontent.com

set client-secret ENC VSiVjX6ZdFjBoDSjmOHBCYNeTAij3tbIR/4+kRF5g0U/B40FDbIGgDI/ZzrEmStXe0SG7GuYYizXOCyrXvncJHO5IX1hsX4WQXr/raBq6fe6Y0+rx74PXhUeGBdfLZsPMTrhPAx17Yncwq14Ry6pJnHclh8Lk3vMBY1kGQ==

set http-mode POST

set relay-mode enable

set include-granted-scopes true

set prompt consent

set token-timeout 8888

set scope-logout-url /logout

config scope-list

edit 1

set scope-url https://www.googleapis.com/auth/blogger

next

end

next

end

config user oauth

Use this command to configure the OAuth policy for OAuth 2.0 authentication.

Syntax

config user oauth

edit <name>

set auth-url <string>

set token-url <string>

set client-id <string>

set client-secret <string>

set http-method {GET|POST}

set redirect-url <string>

set relay-mode {enable|disable}

set include-granted-scopes {true|false}

set prompt {disable|none|consent|select_account}

set token-timeout <integer>

set scope-logout-url /logout

config scope-list

edit 1

set scope-url <string>

next

end

next

end

CLI Parameter

Description

auth-url

The URL of the authorization server.

token-url

The URL of the token server

client-id

The client ID for your application.

client-secret

The secret used to apply for the access token.

http-method

The HTTP method used for the OAuth transaction.

Select from the following values:

  • POST

  • GET

redirect-url

The URL of the redirected server.

relay-mode

Enable/disable relay mode allows FortiADC to add an Authorization Header to the HTTP request after verifying the token.

include-granted-scopes

Select from the following values:

  • true

  • false

  • none

This enables applications to use incremental authorization to request access to additional scopes in context.

If you set this parameter's value to true and the authorization request is granted, then the new access token will also cover any scopes to which the user previously granted the application access.

prompt

A space-delimited, case-sensitive list of prompts to present the user. If you do not specify this parameter, the user will only be prompted the first time your project requests access.

Possible values are:

  • disable — Disable prompts.

  • none — Do not display any authentication or consent screens.

  • consent — Prompt the user for consent.

  • select_account — Prompt the user to select an account.

token-timeout

The amount of time in seconds the token will be valid. (Range: 120-86,400, default = 3600).

The client will not be allowed to access the scope after this time has elapsed.

scope-logout-url

Access to this URL will trigger a logout event. FortiADC will delete the cookie, so in the next access you will need to repeat the OAuth setup process.

scope-list

A space-delimited list of scopes that identify the resources that your application could access on the user's behalf. These values inform the consent screen that the resource server displays to the user.

Scopes enable your application to only request access to the resources that it needs while also enabling users to control the amount of access that they grant to your application. This results in an inverse relationship between the number of scopes requested and the likelihood of obtaining user consent.

scope-url

This URL specifies the location of the resource that your application could access on the user's behalf and will be shown to the user to obtain their consent when they access the resource server.

The relative path of a URL is permitted.

Example

config user oauth

edit "oauth"

set auth-url https://accounts.google.com/o/oauth2/v2/auth

set token-url https://www.googleapis.com/oauth2/v4/token

set client-id 49178883990-conasjq8hiero0rtc5olhk7c5719i36i.apps.googleusercontent.com

set client-secret ENC VSiVjX6ZdFjBoDSjmOHBCYNeTAij3tbIR/4+kRF5g0U/B40FDbIGgDI/ZzrEmStXe0SG7GuYYizXOCyrXvncJHO5IX1hsX4WQXr/raBq6fe6Y0+rx74PXhUeGBdfLZsPMTrhPAx17Yncwq14Ry6pJnHclh8Lk3vMBY1kGQ==

set http-mode POST

set relay-mode enable

set include-granted-scopes true

set prompt consent

set token-timeout 8888

set scope-logout-url /logout

config scope-list

edit 1

set scope-url https://www.googleapis.com/auth/blogger

next

end

next

end