Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.5
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.5 CLI Reference
    8.0.5
    8.0.5
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    user oauth-user server

    user oauth-user server

    FortiWeb supports front-end authentication with third party authentication servers such as Google and Facebook.

    Use this command to add the third party authentication server information.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

    Syntax

    config user oauth-user server

    edit <server_name>

    set mode {client | resource-server | both}

    set token-validation-mode {internal | external}

    set scope <string>

    set oidc {enable | disable}

    set client-id <string>

    set client-secret <passwd>

    set redirect-endpoint <string>

    set authz-req <datasource>

    set token-req <datasource>

    set validate-req <datasource>

    set validate-frequency {session | transaction | interval}

    set validate-interval <integer>

    set userinfo-req <datasource>

    set jwks-req <datasource>

    set validate-req <datasource>

    set userinfo-req <datasource>

    next

    end

    Variable Description Default
    mode {client | resource-server | both} Select whether FortiWeb works as an authorization client or a resource server, or both. No default

    token-validation-mode {internal | external}

    Select how tokens are validated:

    • internal: Use this mode when the access token is a self-contained JWT. FortiWeb performs the validation locally using a digital signature and does not need to contact the external authorization server for every request.

    • external: FortiWeb verifies the token by interacting with an external OAuth provider's validation endpoints.

    external
    scope <string>

    Enter the scope field for OAuth.

    If the OAuth Server is operating in Resource Server mode:

    FortiWeb checks the scopes included in the validated access token to ensure they meet the configured requirements.

    A request is permitted only when the access token contains every configured scope. Missing scopes result in the request being blocked. When the Scope field is empty, scope checking does not occur.

    Examples

    • Configured: admin:full

      Token scope: store:managerBlocked

    • Configured: read write

      Token scope: read write emailAllowed

    		 No default

    oidc {enable | disable}

    Enable to use OIDC authentication.

    disable

    pkce-enforcement {enable | disable}

    Enable to enforce PKCE in the authentication flow.

    PKCE is a security extension designed to protect the authorization code flow, particularly for public clients like mobile or single-page applications where client secrets cannot be safely stored.

    In a standard OAuth flow, a static client secret is used to exchange an authorization code for a token. PKCE replaces or augments this by using a dynamic, per-request code verifier and code challenge.

    • Mitigates Code Interception: Prevents attackers from intercepting the authorization code and using it to obtain access tokens.

    • Prevents Man-in-the-Middle (MITM) Attacks: Ensures that even if an attacker intercepts the code, they cannot exchange it without the original code verifier.

    • Stops App Impersonation: Validates that the client requesting the token is the same one that initiated the authorization request.

    This option is only available when the OAuth mode is set to either client or both.

    disable
    client-id <string> A client credential. Assigned by authorization server. urlencoded
    client-secret <passwd> A client credential. Assigned by authorization server. No default
    redirect-endpoint <string> Redirection URL back to FortiWeb.

    disable
    authz-req <datasource> The authorization request created in config user oauth-user request.

    No default
    token-req <datasource> The token request created in config user oauth-user request.

    No default
    refresh-req <datasource>

    The refresh request created in config user oauth-user request.

    No default
    validate-req <datasource>

    The valid request created in config user oauth-user request.

    No default
    validate-frequency {session | transaction | interval} Whether to validate the request per session, transaction, or every several second.

    No default

    validate-interval <integer>

    If the validate-frequency is interval, then enter the interval time.

    No default

    userinfo-req <datasource>

    The user info request created in config user oauth-user request.

    No default

    jwks-req <datasource>

    The JWKS request created in config user oauth-user request.

    Available only if oidc is enabled and the token-validation-mode is set to external.

    No default

    validate-req <datasource>

    It defines the endpoint used to verify opaque tokens with the authorization server.

    Available only if the token-validation-mode is set to internal.

    No default

    userinfo-req <datasource>

    It specifies the endpoint used to retrieve associated user identity data.

    Available only if the token-validation-mode is set to internal.

    No default

    Related topics

    Previous
    Next

    user oauth-user server

    user oauth-user server

    FortiWeb supports front-end authentication with third party authentication servers such as Google and Facebook.

    Use this command to add the third party authentication server information.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the authusergrp area. For details, see Permissions.

    Syntax

    config user oauth-user server

    edit <server_name>

    set mode {client | resource-server | both}

    set token-validation-mode {internal | external}

    set scope <string>

    set oidc {enable | disable}

    set client-id <string>

    set client-secret <passwd>

    set redirect-endpoint <string>

    set authz-req <datasource>

    set token-req <datasource>

    set validate-req <datasource>

    set validate-frequency {session | transaction | interval}

    set validate-interval <integer>

    set userinfo-req <datasource>

    set jwks-req <datasource>

    set validate-req <datasource>

    set userinfo-req <datasource>

    next

    end

    Variable Description Default
    mode {client | resource-server | both} Select whether FortiWeb works as an authorization client or a resource server, or both. No default

    token-validation-mode {internal | external}

    Select how tokens are validated:

    • internal: Use this mode when the access token is a self-contained JWT. FortiWeb performs the validation locally using a digital signature and does not need to contact the external authorization server for every request.

    • external: FortiWeb verifies the token by interacting with an external OAuth provider's validation endpoints.

    external
    scope <string>

    Enter the scope field for OAuth.

    If the OAuth Server is operating in Resource Server mode:

    FortiWeb checks the scopes included in the validated access token to ensure they meet the configured requirements.

    A request is permitted only when the access token contains every configured scope. Missing scopes result in the request being blocked. When the Scope field is empty, scope checking does not occur.

    Examples

    • Configured: admin:full

      Token scope: store:managerBlocked

    • Configured: read write

      Token scope: read write emailAllowed

    		 No default

    oidc {enable | disable}

    Enable to use OIDC authentication.

    disable

    pkce-enforcement {enable | disable}

    Enable to enforce PKCE in the authentication flow.

    PKCE is a security extension designed to protect the authorization code flow, particularly for public clients like mobile or single-page applications where client secrets cannot be safely stored.

    In a standard OAuth flow, a static client secret is used to exchange an authorization code for a token. PKCE replaces or augments this by using a dynamic, per-request code verifier and code challenge.

    • Mitigates Code Interception: Prevents attackers from intercepting the authorization code and using it to obtain access tokens.

    • Prevents Man-in-the-Middle (MITM) Attacks: Ensures that even if an attacker intercepts the code, they cannot exchange it without the original code verifier.

    • Stops App Impersonation: Validates that the client requesting the token is the same one that initiated the authorization request.

    This option is only available when the OAuth mode is set to either client or both.

    disable
    client-id <string> A client credential. Assigned by authorization server. urlencoded
    client-secret <passwd> A client credential. Assigned by authorization server. No default
    redirect-endpoint <string> Redirection URL back to FortiWeb.

    disable
    authz-req <datasource> The authorization request created in config user oauth-user request.

    No default
    token-req <datasource> The token request created in config user oauth-user request.

    No default
    refresh-req <datasource>

    The refresh request created in config user oauth-user request.

    No default
    validate-req <datasource>

    The valid request created in config user oauth-user request.

    No default
    validate-frequency {session | transaction | interval} Whether to validate the request per session, transaction, or every several second.

    No default

    validate-interval <integer>

    If the validate-frequency is interval, then enter the interval time.

    No default

    userinfo-req <datasource>

    The user info request created in config user oauth-user request.

    No default

    jwks-req <datasource>

    The JWKS request created in config user oauth-user request.

    Available only if oidc is enabled and the token-validation-mode is set to external.

    No default

    validate-req <datasource>

    It defines the endpoint used to verify opaque tokens with the authorization server.

    Available only if the token-validation-mode is set to internal.

    No default

    userinfo-req <datasource>

    It specifies the endpoint used to retrieve associated user identity data.

    Available only if the token-validation-mode is set to internal.

    No default

    Related topics

    Previous
    Next