OAuth in NSX Advanced Load Balancer is configured through several steps including setting up the pool, authentication profile, SSO policy, and OAuth settings for the virtual service. This section provides step-by-step instructions to configure OAuth using the CLI.
To configure OAuth using the CLI,
Configuring Pool using CLI
Configure the pool using the CLI as shown below:
[admin: ctrl]: > configure pool okta-pool [admin: ctrl]: pool> default_server_port 443 [admin: ctrl]: pool> ssl_profile_ref System-Standard [admin: ctrl]: pool> servers[admin: ctrl]: pool:servers> hostname dev-477407.oktapreview.com [admin:ctrl]: pool:servers> resolve_server_by_dns [admin:ctrl]: pool:servers> resolve_server_by_dns [admin:ctrl]: pool:servers> save[admin:ctrl]: pool> save
+-------------------------------------------+---------------------------+ | Field | Value | +-------------------------------------------+---------------------------+ | uuid | pool-ae3e31cb- | | name | okta-pool | | default_server_port | 443 | | graceful_disable_timeout | 1 min | | connection_ramp_duration | 10 min | | max_concurrent_connections_per_server | 0 | | servers[1] | | | ip | 34.236.241.37 | | hostname | dev-477407.oktapreview.com| | enabled | True | | ratio | 1 | | verify_network | False | | resolve_server_by_dns | True | | static | False | | rewrite_host_header | False | | servers[2] | | | ip | 34.236.241.36 | | hostname | dev-477407.oktapreview.com| | enabled | True | | ratio | 1 | | verify_network | False | | resolve_server_by_dns | True | | static | False | | rewrite_host_header | False | | servers[3] | | | ip | 34.236.241.38 | | hostname | dev-477407.oktapreview.com| | enabled | True | | ratio | 1 | | verify_network | False | | resolve_server_by_dns | True | | static | False | | rewrite_host_header | False | | --------Truncated Output------- | +-------------------------------------------+---------------------------+
Configuring Authentication Profile using CLI
Configure the authentication profile using CLI as shown below:
[admin:ctrl]: > configure authprofile Okta-OAuth [admin:ctrl]: authprofile> type auth_profile_oauth [admin:ctrl]: authprofile> oauth_profile [admin:ctrl]: authprofile:oauth_profile> [admin:ctrl]: authprofile:oauth_profile> authorization_endpoint https://dev-477407.oktapreview.com/oauth2/v1/authorize [admin:ctrl]: authprofile:oauth_profile> token_endpoint https://dev-477407.oktapreview.com/oauth2/v1/token [admin:ctrl]: authprofile:oauth_profile> introspection_endpoint https://dev-477407.oktapreview.com/oauth2/v1/introspect [admin:ctrl]: authprofile:oauth_profile> jwks_uri https://dev-477407.oktapreview.com/oauth2/v1/keys [admin:ctrl]: authprofile:oauth_profile> issuer https://dev-477407.oktapreview.com [admin:ctrl]: authprofile:oauth_profile> userinfo_endpoint https://dev-477407.oktapreview.com/oauth2/v1/userinfo [admin:ctrl]: authprofile:oauth_profile> pool_ref okta-pool [admin:ctrl]: authprofile:oauth_profile> save [admin:ctrl]: authprofile> save
+--------------------------+--------------------------------------------+ | Field | Value | +--------------------------+--------------------------------------------+ | uuid | authprofile-4b335ccf-8385-48bd-a438- | | name | okta | | type | AUTH_PROFILE_OAUTH | | oauth_profile | | | authorization_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/authorize | | token_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/token | | introspection_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/introspect | | jwks_uri | https://dev-477407.oktapreview.com/oauth2/ | | |v1/keys | | issuer | https://dev-477407.oktapreview.com | | pool_ref | OKTA | | oauth_resp_buffer_sz | 102400 | | userinfo_endpoint | https://dev-477407.oktapreview.com/oauth2/ | | | v1/userinfo | | tenant_ref | admin | +--------------------------+--------------------------------------------+
Configuring SSO Policy using CLI
[admin:ctrl]: > configure ssopolicy oauth [admin:ctrl]: ssopolicy> type sso_type_oauth [admin:ctrl]: ssopolicy> save
+------------+------------------------------------------------+ | Field | Value | +------------+------------------------------------------------+ | uuid | ssopolicy-8a4cb441-c819-4153-a247-d78f3a2585b3 | | name | oauth | | type | SSO_TYPE_OAUTH | | tenant_ref | admin | +------------+------------------------------------------------+
Configuring OAuth Settings on the Virtual Service
Configure the sso_policy_ref as shown below:
[admin:ctrl]: > configure virtualservice OAuth-VS [admin:ctrl]: > virtualservice> sso_policy_ref oauth
Configure the oauth_vs_config as shown below:
[admin:ctrl]: virtualservice> oauth_vs_config [admin:ctrl]: virtualservice:oauth_vs_config> redirect_uri https://100.64.94.61/oauth/callback [admin:ctrl]: virtualservice:oauth_vs_config> oauth_settings New object being created [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings> auth_profile_ref okta [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings> app_settings [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> oidc_config [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings:oidc_config> oidc_enable [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings:oidc_config> save [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> client_id xxxxxxxxxxxxxxx [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> client_secret xxxxxxxxxxxxxxx
Note:
Add the actual client_id and client_secret that your authorization server has provided.
[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:app_settings> save[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server>[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server> access_type access_token_type_opaque
Note:
For this example, an opaque token is used with OKTA. JWT token can be chosen instead of an opaque token, if required.
[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server> opaque_token_params[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params>[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params> server_id xxxxxxxxxxxxxxx[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params> server_secret xxxxxxxxxxxxxxx
Note:
In most of the cases, server_id and server_secret are the same as client_id and client_secret respectively.
[admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server:opaque_token_params> save [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings:resource_server> save [admin:ctrl]: virtualservice:oauth_vs_config:oauth_settings> save [admin:ctrl]: virtualservice:oauth_vs_config> save [admin:ctrl]: virtualservice> save
The OAuth configuration is as shown below:
+--------------------------+------------------------------------------+ | sso_policy_ref |oauth | | oauth_vs_config | | | redirect_uri |https://okta-test.auth.com/oauth/callback | | cookie_name |OAUTH_IUPKWGLH | | cookie_timeout |1 min | | oauth_settings[1] | | | auth_profile_ref |okta-oauth | | app_settings | | | oidc_config | | | oidc_enable |True | | profile |True | | userinfo |True | | client_id |xxxxxxxxxxxxxxx | | client_secret |<sensitive> | | resource_server | | | access_type |ACCESS_TOKEN_TYPE_OPAQUE | | opaque_token_params| | | server_id | xxxxxxxxxxxxxxx | | server_secret | <sensitive> | | key[1] | | | name | dc7dde0a-8a64-45b4-8ded-f65adb03c2a4 | | aes_key | b'sdZFYlVECVu9aW7XK4IhVaC8TfakvNSvp6m861t| +------------------------------------+--------------------------------+
