What is OAuth(Open Authorization)
- Standard protocol for token-based authentication and authorization.
- It allows a client (such as an application or user) to obtain limited access to a resource on behalf of a
resource owner (such as a user) without exposing the resource owner's credentials.
- OAuth 2.0 is the current version of the OAuth protocol.
- OAuth in
Fortinet Authenticator
Terms:
| Term | Meaning |
|---|---|
| Relying Party | OAuth clients that have been issued credentials for requesting OAuth tokens from the FortiAuthenticator |
| Client type |
- Confidential: client ID, user credentials, and the client secret to obtain an OAuth token - Public: client ID & user credentials to obtain an OAuth token |
| Authorization grant types |
- Password-based: Authentication and authorization is API-based. - Authorization code: Authentication and authorization is initiated by the relying party, but the end-user provides their credentials through their browser on the FortiAuthenticator login portal. - Authorization code with PKCE: FortiAuthenticator applies modifications to the standard Authorization code |
| Client ID | A generated value is provided by default |
| Client secret | A generated value is provided by default |
| Policy | Policy Page |
| Access token expiry | length of time for which OAuth access tokens issued by this application are valid |
| Redirect URIs | (URI) that the OAuth service is authorized to redirect end-users to after authentication |
| Refresh token expiry | time in days/weeks/months the refresh token issued is valid upon authorization (default = 1 day) |
| Relying Party Scopes | Add scopes for the relying party |
| Claims | Cliams |
sequenceDiagram
participant FortiAuthenticator-WebInterface
participant FortiAuthenticator
participant Client
note over FortiAuthenticator-WebInterface: Configure OAuth in Web Interface
note over FortiAuthenticator-WebInterface: Authentication > OAuth Service > General>
Set Authorization code expiry(1-56000sec)
Auto-generated client secret length(16 - 256, default = 128)
>Save
note over FortiAuthenticator-WebInterface: Configure Relying Party params
FortiAuthenticator-WebInterface ->> FortiAuthenticator: client_id, client-secret
FortiAuthenticator ->> Client: client_id, client-secret
Client ->> FortiAuthenticator: Authenticate (client_id, secret)
FortiAuthenticator ->> Client: ok
Client ->> FortiAuthenticator: Provide oauth token (client_id, secret, Auth_Grant_type)
FortiAuthenticator ->> Client: Oauth Token(with expiry, other info)
note over Client: Client includes OAuth token in REST API calls
Client ->> FortiAuthenticator: GET /api/resource HTTP/1.1 Host:abc.com
Authorization: Bearer asssssasa..
