Configuring OAuth 2.0 Servers

The OAuth Servers table lets you configure up to six OAuth 2.0 authentication servers.

You can use OAuth servers for the following services:

OAuth-based login authentication of users (see example in OAuth-based User Login Authentication and Authorization).
OAuth-based authentication of incoming SIP messages (see example in OAuth 2.0 Based SIP Message Authentication).
OAuth-based authentication of outgoing HTTP/S requests to Remote Web Services (see example in OAuth 2.0 Based Authentication for Remote Web Services).

You can configure only one OAuth server in the table with type Azure.

The following procedure describes how to configure the OAuth server through the Web interface. You can also configure it through ini file [OAuthServers] or CLI (configure system > oauth-servers).

To configure an OAuth server:
1. Open the OAuth Servers table (Setup menu > IP Network tab > AAA Servers folder > OAuth Servers).
2. Click New; the following dialog box appears:

3. Configure the OAuth server according to the parameters described in the table below.
4. Click Apply.

OAuth Servers Table Parameter Descriptions

Parameter

Description

'Index'

[Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Name'

server-name

[OAuthServerName]

Defines an arbitrary name to easily identify the row.

The valid value is a string of up to 20 characters.

Note:

Configure each row with a unique name.
The parameter is mandatory.

'Server Type'

server-type

[OAuthServerType]

Defines the provider of the OAuth service.

[0] Azure = (Default) Microsoft Azure server.
[1] Standard OAuth 2.0 = Standard OAuth 2.0 server using standard OAuth 2.0 tokens.

Note: You can configure only one OAuth server in the table for Azure.

'Base URL'

base-url

[OAuthBaseURL]

Defines the base URL.

The endpoints configured by the below parameters follow this base URL. For example, the full URL path of the default authorization endpoint is "https://login.microsoftonline.com/common/oauth2/v2.0/authorize".

The default is "https://login.microsoftonline.com/common".

Note: The parameter is mandatory.

'Authorization Endpoint'

authorization-endpoint

[OAuthAuthorizeEndpoint]

Defines the authorization endpoint URL path (which follows the base URL).

The default is "/oauth2/v2.0/authorize".

Note: The parameter is applicable only when the 'Server Type' parameter is configured to Azure.

'Device Code Endpoint'

devicecode-endpoint

[OAuthDeviceCodeEndpoint]

Defines the device code endpoint URL.

The default is "/oauth2/v2.0/devicecode".

Note: The parameter is applicable only when the 'Server Type' parameter is configured to Azure.

'Token Endpoint'

token-endpoint

[OAuthTokenEndpoint]

Defines the token endpoint URL.

The default is "/oauth2/v2.0/token".

'Keys Endpoint'

keys-endpoint

[OAuthKeysEndpoint]

Defines the key endpoint.

The default is "/discovery/v2.0/keys".

Note: The parameter is applicable only when the 'Server Type' parameter is configured to Azure, and is mandatory.

'Logout Endpoint'

logout-endpoint

[OAuthLogoutEndpoint]

Defines the logout endpoint URL.

The default is "/oauth2/v2.0/logout".

Note: The parameter is applicable only when the 'Server Type' parameter is configured to Azure.

'Keys Refresh Time'

keys-refresh-time

[OAuthKeysRefreshTime]

Defines the periodic time (in minutes) to refresh the public keys (by requesting them from Azure Entra ID or the standard OAuth server).

The valid value range is 360 to 1440. By default, no value is defined.

Note: The parameter is applicable only when the 'Server Type' parameter is configured to Azure, and is mandatory.

'Application ID'

application-id

[OAuthAppId]

Defines the Application (client) ID assigned by your Azure Entra ID or standard OAuth server account for the app created (registered) for the device.

By default, no value is defined.

Note: The parameter is mandatory.

'Secret Key'

secret-key

[OAuthSecretKey]

Defines the secret key (or client secret) that the device sends to the OAuth server for authentication.

By default, no value is defined.

Note:

The parameter is applicable only when the 'Server Type' parameter is configured to Standard OAuth 2.0 and is mandatory.
The secret key is given to you by your authentication provider.

'Scope'

scope

[OAuthScope]

Defines the scope to access resources.

By default, no value is defined.

Note:

The parameter is applicable only when the 'Server Type' parameter is configured to Standard OAuth 2.0.
The scope is given to you by your authentication provider.

'REST API 'aud' Prefix'

rest-api-aud-prefix

[RestApiAudPrefix]

Defines the REST API 'aud' prefix. This is used when validating the 'aud' specified when the validation request is from the REST API.

The default is "api://".

Note: The parameter is applicable only when the 'Server Type' parameter is configured to Azure.

'TLS Context'

tls-context

[TLSContext]

Assigns a TLS Context from the TLS Contexts table (see Configuring TLS Certificate Contexts).

By default, no value is defined (and TLS Context #0 is used).

'Verify Certificate'

verify-certificate

[VerifyCertificate]

Enables the verification of the TLS certificate that is used in the incoming connection request from the OAuth server.

[0] Disable = (Default) No certificate verification is done.
[1] Enable = The device verifies the authentication of the certificate received from OVOC. The device authenticates the certificate against the trusted root certificate store associated with the assigned TLS Context (see 'TLS Context' parameter above) and if ok, allows communication with the server. If authentication fails, the device denies communication (i.e., handshake fails). The device can also authenticate the certificate by querying an Online Certificate Status Protocol (OCSP) server if the certificate has been revoked. This is also configured for the associated TLS Context.

'Network Interface'

network-interface

[NetworkInterface]

Assigns an IP network interface from the IP Interfaces table (see Configuring IP Network Interfaces) for communication with the OAuth server.

By default, no value is defined (and OAMP interface is used).

Note: The parameter is mandatory.