Configuring OAuth using CLI

OAuth in
NSX Advanced Load Balancer
is configured through several steps including setting up the pool, authentication profile, SSO policy, and OAuth settings for the virtual service. This section provides step-by-step instructions to configure OAuth using the CLI.
To configure OAuth using the CLI,

Configuring Pool using CLI

Configure the pool using the CLI as shown below:
[admin: ctrl]: > configure pool okta-pool [admin: ctrl]: pool> default_server_port 443 [admin: ctrl]: pool> ssl_profile_ref System-Standard [admin: ctrl]: pool> servers[admin: ctrl]: pool:servers> hostname dev-477407.oktapreview.com [admin:ctrl]: pool:servers> resolve_server_by_dns [admin:ctrl]: pool:servers> resolve_server_by_dns [admin:ctrl]: pool:servers> save[admin:ctrl]: pool> save
+-------------------------------------------+---------------------------+ | Field | Value | +-------------------------------------------+---------------------------+ | uuid | pool-ae3e31cb- | | name | okta-pool | | default_server_port | 443 | | graceful_disable_timeout | 1 min | | connection_ramp_duration | 10 min | | max_concurrent_connections_per_server | 0 | | servers[1] | | | ip | 34.236.241.37 | | hostname | dev-477407.oktapreview.com| | enabled | True | | ratio | 1 | | verify_network | False | | resolve_server_by_dns | True | | static | False | | rewrite_host_header | False | | servers[2] | | | ip | 34.236.241.36 | | hostname | dev-477407.oktapreview.com| | enabled | True | | ratio | 1 | | verify_network | False | | resolve_server_by_dns | True | | static | False | | rewrite_host_header | False | | servers[3] | | | ip | 34.236.241.38 | | hostname | dev-477407.oktapreview.com| | enabled | True | | ratio | 1 | | verify_network | False | | resolve_server_by_dns | True | | static | False | | rewrite_host_header | False | | --------Truncated Output------- | +-------------------------------------------+---------------------------+

Configuring Authentication Profile using CLI

Configure the authentication profile using CLI as shown below:
[admin:ctrl]: > configure authprofile Okta-OAuth [admin:ctrl]: authprofile> type auth_profile_oauth [admin:ctrl]: authprofile> oauth_profile [admin:ctrl]: authprofile:oauth_profile> [admin:ctrl]: authprofile:oauth_profile> authorization_endpoint https://dev-477407.oktapreview.com/oauth2/v1/authorize [admin:ctrl]: authprofile:oauth_profile> token_endpoint https://dev-477407.oktapreview.com/oauth2/v1/token [admin:ctrl]: authprofile:oauth_profile> introspection_endpoint https://dev-477407.oktapreview.com/oauth2/v1/introspect [admin:ctrl]: authprofile:oauth_profile> jwks_uri https://dev-477407.oktapreview.com/oauth2/v1/keys [admin:ctrl]: authprofile:oauth_profile> issuer https://dev-477407.oktapreview.com [admin:ctrl]: authprofile:oauth_profile> userinfo_endpoint https://dev-477407.oktapreview.com/oauth2/v1/userinfo [admin:ctrl]: authprofile:oauth_profile> pool_ref okta-pool [admin:ctrl]: authprofile:oauth_profile> save [admin:ctrl]: authprofile> save
+--------------------------+--------------------------------------------+ | Field | Value | +--------------------------+--------------------------------------------+ | uuid | authprofile-4b335ccf-8385-48bd-a438- | | name | okta | | type | AUTH_PROFILE_OAUTH | | oauth_profile | | | authorization_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/authorize | | token_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/token | | introspection_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/introspect | | jwks_uri | https://dev-477407.oktapreview.com/oauth2/ | | |v1/keys | | issuer | https://dev-477407.oktapreview.com | | pool_ref | OKTA | | oauth_resp_buffer_sz | 102400 | | userinfo_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/userinfo | | tenant_ref | admin | +--------------------------+--------------------------------------------+

Configuring SSO Policy using CLI

[admin:ctrl]: > configure ssopolicy oauth [admin:ctrl]: ssopolicy> type sso_type_oauth [admin:ctrl]: ssopolicy> save
+------------+------------------------------------------------+ | Field | Value | +------------+------------------------------------------------+ | uuid | ssopolicy-8a4cb441-c819-4153-a247-d78f3a2585b3 | | name | oauth | | type | SSO_TYPE_OAUTH | | tenant_ref | admin | +------------+------------------------------------------------+

Configuring OAuth Settings on the Virtual Service

  • Configure the
    sso_policy_ref
    as shown below:
[admin:ctrl]: > configure virtualservice OAuth-VS [admin:ctrl]: > virtualservice> sso_policy_ref oauth
  • Configure the
    oauth_vs_config
    as shown below:
[admin:ctrl]: virtualservice> oauth_vs_config [admin:ctrl]: virtualservice:oauth_vs_config> redirect_uri https://100.64.94.61/oauth/callback [admin:ctrl]: virtualservice:oauth_vs_config> oauth_settings New object being created [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings> auth_profile_ref okta [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings> app_settings [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> oidc_config [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings:oidc_config> oidc_enable [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings:oidc_config> save [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> client_id xxxxxxxxxxxxxxx [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> client_secret xxxxxxxxxxxxxxx
Add the actual
client_id
and
client_secret
that your authorization server has provided.
[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> save[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server>[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server> access_type access_token_type_opaque
For this example, an opaque token is used with OKTA. JWT token can be chosen instead of an opaque token, if required.
[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server> opaque_token_params[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params>[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params> server_id xxxxxxxxxxxxxxx[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params> server_secret xxxxxxxxxxxxxxx
In most of the cases,
server_id
and
server_secret
are the same as
client_id
and
client_secret
respectively.
[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params> save [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server> save [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings> save [admin:ctrl]: virtualservice:oauth_vs_config> save [admin:ctrl]: virtualservice> save
The OAuth configuration is as shown below:
+--------------------------+------------------------------------------+ | sso_policy_ref |oauth | | oauth_vs_config | | | redirect_uri |https://okta-test.auth.com/oauth/callback | | cookie_name |OAUTH_IUPKWGLH | | cookie_timeout |1 min | | oauth_settings[1] | | | auth_profile_ref |okta-oauth | | app_settings | | | oidc_config | | | oidc_enable |True | | profile |True | | userinfo |True | | client_id |xxxxxxxxxxxxxxx | | client_secret |<sensitive> | | resource_server | | | access_type |ACCESS_TOKEN_TYPE_OPAQUE | | opaque_token_params| | | server_id | xxxxxxxxxxxxxxx | | server_secret | <sensitive> | | key[1] | | | name | dc7dde0a-8a64-45b4-8ded-f65adb03c2a4 | | aes_key | b'sdZFYlVECVu9aW7XK4IhVaC8TfakvNSvp6m861t| +------------------------------------+--------------------------------+