Fortinet black logo

Administration Guide

OAuth Authorization

OAuth Authorization

The OAuth 2.0 authorization framework is a protocol that allows you to authorize a third-party web site or application access to your protected resources, without necessarily revealing your long-term credentials or even your identity. For example, when users access your application, they can log in with their Google account.

FortiWeb supports OAuth 2.0 for front-end authentication, and it works as an authorization client or a resource server. The authorization process works as below.

When FortiWeb works as an authorization client:

  1. Users initiate the access request to FortiWeb.
  2. FortiWeb returns the OAuth login page.
  3. User chooses an OAuth provider.
  4. FortiWeb redirects the access request to the third party Authentication Server.
  5. The third party Authentication Server performs the authentication and authorization interactions, then redirects the access request back to FortiWeb with an authorization code. The token and username will be obtained in the code.
  6. FortiWeb redirects user to the original URL with cookie.
  7. User access the URL with cookie, and the token should be refreshed before it expires.
  8. If authentication failure occurs, FortiWeb returns return error page to the user.

When FortiWeb works as a resource server:

  1. Users initiate the access request to FortiWeb.
  2. FortiWeb extracts token from Authorization header, then validates the token with the third party Authentication Server to confirm this is a legitimate user and try to get the username. If valid, FortiWeb forwards the request to the back-end server. If invalid, will return error page to the user.

OAuth 2.0 Authorization on FortiWeb requires you to configure OAuth servers and server pool, then select this server pool in a site publish rule.

Step 1 - Creating an OAuth server

FortiWeb supports front-end authentication with Google and Facebook authentication server.

Perform the following steps to create OAuth requests:

  1. Go to User > OAuth Server, Select the OAuth Request tab.
  2. FortiWeb has pre-defined the commonly seen Google, Facebook, and FortiAuthenticator OAuth requests for user authentication. You can Create New or click Clone to clone a request so that you can tailor it according to your needs. Configure the following settings.
    NameEnter a name for the request.
    Request Type

    OAuth request types, including:

    • authorization (default)

    • token

    • refresh

    • validation

    • userinfo

    EndpointOAuth request URL.
    Method

    Request method:

    • get (default)

    • post

    User Key

    Indicate username keyword in response.

    Content type

    Select the request content type.

    Custom Headers

    Enter the header name and value.

    Custom ParametersEnter the parameter name and value.
  3. Click OK.
  4. Go to User > OAuth Server, Select the OAuth Server tab. Click Create New or click Clone to clone a server configuration so that you can tailor it. Configure the following settings.
    NameEnter a name for the server.
    ModeSelect whether FortiWeb works as an authorization client or a resource server, or both.
    ScopeEnter the scope field for OAuth.
    Client ID/Client SecretA client credential. Assigned by authorization server.
    Redirection EndpointRedirection URL back to FortiWeb.
    Authorization RequestThe authorization request created in the OAuth Request tab.

    Token Request

    The token request created in the OAuth Request tab.

    Refresh Request

    The refresh request created in the OAuth Request tab.

    Valid Request

    The valid request created in the OAuth Request tab.

    User Info. Request

    The user info request created in the OAuth Request tab.

Step 2 - Creating an OAuth Server pool

  1. Go to Application Delivery > Site Publish > OAuth Server pool.
  2. Click Create New.
  3. Enter a name for the server pool.
  4. Select whether the server works in Client mode or Resource Server mode, or both.
    If you choose the resource server mode, please make sure you have a device in front of FortiWeb to do the interaction with third party Authentication Server.
  5. Click OK.
  6. Click Create New to add server in the pool.
  7. Enter a name for the OAuth server, then select the server you have created in Step 1 - Creating an OAuth server.
  8. Click OK.

Step 3 - Create a Site Publish rule for OAuth Authentication

  1. Go to Application Delivery > Site Publish > Site Publish.
  2. Refer to Offloaded authentication and optional SSO configuration for how to create a Site Publish rule and policy. For the Client Authentication Method, select OAuth Authentication; For OAuth Server Pool, select the OAuth server pool you have created.

OAuth Authorization

The OAuth 2.0 authorization framework is a protocol that allows you to authorize a third-party web site or application access to your protected resources, without necessarily revealing your long-term credentials or even your identity. For example, when users access your application, they can log in with their Google account.

FortiWeb supports OAuth 2.0 for front-end authentication, and it works as an authorization client or a resource server. The authorization process works as below.

When FortiWeb works as an authorization client:

  1. Users initiate the access request to FortiWeb.
  2. FortiWeb returns the OAuth login page.
  3. User chooses an OAuth provider.
  4. FortiWeb redirects the access request to the third party Authentication Server.
  5. The third party Authentication Server performs the authentication and authorization interactions, then redirects the access request back to FortiWeb with an authorization code. The token and username will be obtained in the code.
  6. FortiWeb redirects user to the original URL with cookie.
  7. User access the URL with cookie, and the token should be refreshed before it expires.
  8. If authentication failure occurs, FortiWeb returns return error page to the user.

When FortiWeb works as a resource server:

  1. Users initiate the access request to FortiWeb.
  2. FortiWeb extracts token from Authorization header, then validates the token with the third party Authentication Server to confirm this is a legitimate user and try to get the username. If valid, FortiWeb forwards the request to the back-end server. If invalid, will return error page to the user.

OAuth 2.0 Authorization on FortiWeb requires you to configure OAuth servers and server pool, then select this server pool in a site publish rule.

Step 1 - Creating an OAuth server

FortiWeb supports front-end authentication with Google and Facebook authentication server.

Perform the following steps to create OAuth requests:

  1. Go to User > OAuth Server, Select the OAuth Request tab.
  2. FortiWeb has pre-defined the commonly seen Google, Facebook, and FortiAuthenticator OAuth requests for user authentication. You can Create New or click Clone to clone a request so that you can tailor it according to your needs. Configure the following settings.
    NameEnter a name for the request.
    Request Type

    OAuth request types, including:

    • authorization (default)

    • token

    • refresh

    • validation

    • userinfo

    EndpointOAuth request URL.
    Method

    Request method:

    • get (default)

    • post

    User Key

    Indicate username keyword in response.

    Content type

    Select the request content type.

    Custom Headers

    Enter the header name and value.

    Custom ParametersEnter the parameter name and value.
  3. Click OK.
  4. Go to User > OAuth Server, Select the OAuth Server tab. Click Create New or click Clone to clone a server configuration so that you can tailor it. Configure the following settings.
    NameEnter a name for the server.
    ModeSelect whether FortiWeb works as an authorization client or a resource server, or both.
    ScopeEnter the scope field for OAuth.
    Client ID/Client SecretA client credential. Assigned by authorization server.
    Redirection EndpointRedirection URL back to FortiWeb.
    Authorization RequestThe authorization request created in the OAuth Request tab.

    Token Request

    The token request created in the OAuth Request tab.

    Refresh Request

    The refresh request created in the OAuth Request tab.

    Valid Request

    The valid request created in the OAuth Request tab.

    User Info. Request

    The user info request created in the OAuth Request tab.

Step 2 - Creating an OAuth Server pool

  1. Go to Application Delivery > Site Publish > OAuth Server pool.
  2. Click Create New.
  3. Enter a name for the server pool.
  4. Select whether the server works in Client mode or Resource Server mode, or both.
    If you choose the resource server mode, please make sure you have a device in front of FortiWeb to do the interaction with third party Authentication Server.
  5. Click OK.
  6. Click Create New to add server in the pool.
  7. Enter a name for the OAuth server, then select the server you have created in Step 1 - Creating an OAuth server.
  8. Click OK.

Step 3 - Create a Site Publish rule for OAuth Authentication

  1. Go to Application Delivery > Site Publish > Site Publish.
  2. Refer to Offloaded authentication and optional SSO configuration for how to create a Site Publish rule and policy. For the Client Authentication Method, select OAuth Authentication; For OAuth Server Pool, select the OAuth server pool you have created.