Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.0.5 CLI Reference
    7.0.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config user oauth

    config user oauth

    Use this command to configure the OAuth policy for OAuth 2.0 authentication.

    Syntax

    config user oauth

    edit <name>

    set auth-url <string>

    set token-url <string>

    set client-id <string>

    set client-secret <string>

    set http-method {GET|POST}

    set redirect-url <string>

    set relay-mode {enable|disable}

    set include-granted-scopes {true|false}

    set prompt {disable|none|consent|select_account}

    set token-timeout <integer>

    set scope-logout-url /logout

    config scope-list

    edit 1

    set scope-url <string>

    next

    end

    next

    end

    CLI Parameter

    Description

    auth-url

    		 The URL of the authorization server.

    token-url

    		 The URL of the token server

    client-id

    		 The client ID for your application.

    client-secret

    		 The secret used to apply for the access token.

    http-method

    The HTTP method used for the OAuth transaction.

    Select from the following values:

    • POST

    • GET

    redirect-url

    		 The URL of the redirected server.

    relay-mode

    Enable/disable relay mode allows FortiADC to add an Authorization Header to the HTTP request after verifying the token.

    include-granted-scopes

    Select from the following values:

    • true

    • false

    • none

    This enables applications to use incremental authorization to request access to additional scopes in context.

    If you set this parameter's value to true and the authorization request is granted, then the new access token will also cover any scopes to which the user previously granted the application access.

    prompt

    A space-delimited, case-sensitive list of prompts to present the user. If you do not specify this parameter, the user will only be prompted the first time your project requests access.

    Possible values are:

    • disable — Disable prompts.

    • none — Do not display any authentication or consent screens.

    • consent — Prompt the user for consent.

    • select_account — Prompt the user to select an account.

    token-timeout

    The amount of time in seconds the token will be valid. (Range: 120-86,400, default = 3600).

    The client will not be allowed to access the scope after this time has elapsed.

    scope-logout-url

    Access to this URL will trigger a logout event. FortiADC will delete the cookie, so in the next access you will need to repeat the OAuth setup process.

    scope-list

    A space-delimited list of scopes that identify the resources that your application could access on the user's behalf. These values inform the consent screen that the resource server displays to the user.

    Scopes enable your application to only request access to the resources that it needs while also enabling users to control the amount of access that they grant to your application. This results in an inverse relationship between the number of scopes requested and the likelihood of obtaining user consent.

    scope-url

    This URL specifies the location of the resource that your application could access on the user's behalf and will be shown to the user to obtain their consent when they access the resource server.

    The relative path of a URL is permitted.

    Example

    config user oauth

    edit "oauth"

    set auth-url https://accounts.google.com/o/oauth2/v2/auth

    set token-url https://www.googleapis.com/oauth2/v4/token

    set client-id 49178883990-conasjq8hiero0rtc5olhk7c5719i36i.apps.googleusercontent.com

    set client-secret ENC VSiVjX6ZdFjBoDSjmOHBCYNeTAij3tbIR/4+kRF5g0U/B40FDbIGgDI/ZzrEmStXe0SG7GuYYizXOCyrXvncJHO5IX1hsX4WQXr/raBq6fe6Y0+rx74PXhUeGBdfLZsPMTrhPAx17Yncwq14Ry6pJnHclh8Lk3vMBY1kGQ==

    set http-mode POST

    set relay-mode enable

    set include-granted-scopes true

    set prompt consent

    set token-timeout 8888

    set scope-logout-url /logout

    config scope-list

    edit 1

    set scope-url https://www.googleapis.com/auth/blogger

    next

    end

    next

    end

    Previous
    Next

    config user oauth

    config user oauth

    Use this command to configure the OAuth policy for OAuth 2.0 authentication.

    Syntax

    config user oauth

    edit <name>

    set auth-url <string>

    set token-url <string>

    set client-id <string>

    set client-secret <string>

    set http-method {GET|POST}

    set redirect-url <string>

    set relay-mode {enable|disable}

    set include-granted-scopes {true|false}

    set prompt {disable|none|consent|select_account}

    set token-timeout <integer>

    set scope-logout-url /logout

    config scope-list

    edit 1

    set scope-url <string>

    next

    end

    next

    end

    CLI Parameter

    Description

    auth-url

    		 The URL of the authorization server.

    token-url

    		 The URL of the token server

    client-id

    		 The client ID for your application.

    client-secret

    		 The secret used to apply for the access token.

    http-method

    The HTTP method used for the OAuth transaction.

    Select from the following values:

    • POST

    • GET

    redirect-url

    		 The URL of the redirected server.

    relay-mode

    Enable/disable relay mode allows FortiADC to add an Authorization Header to the HTTP request after verifying the token.

    include-granted-scopes

    Select from the following values:

    • true

    • false

    • none

    This enables applications to use incremental authorization to request access to additional scopes in context.

    If you set this parameter's value to true and the authorization request is granted, then the new access token will also cover any scopes to which the user previously granted the application access.

    prompt

    A space-delimited, case-sensitive list of prompts to present the user. If you do not specify this parameter, the user will only be prompted the first time your project requests access.

    Possible values are:

    • disable — Disable prompts.

    • none — Do not display any authentication or consent screens.

    • consent — Prompt the user for consent.

    • select_account — Prompt the user to select an account.

    token-timeout

    The amount of time in seconds the token will be valid. (Range: 120-86,400, default = 3600).

    The client will not be allowed to access the scope after this time has elapsed.

    scope-logout-url

    Access to this URL will trigger a logout event. FortiADC will delete the cookie, so in the next access you will need to repeat the OAuth setup process.

    scope-list

    A space-delimited list of scopes that identify the resources that your application could access on the user's behalf. These values inform the consent screen that the resource server displays to the user.

    Scopes enable your application to only request access to the resources that it needs while also enabling users to control the amount of access that they grant to your application. This results in an inverse relationship between the number of scopes requested and the likelihood of obtaining user consent.

    scope-url

    This URL specifies the location of the resource that your application could access on the user's behalf and will be shown to the user to obtain their consent when they access the resource server.

    The relative path of a URL is permitted.

    Example

    config user oauth

    edit "oauth"

    set auth-url https://accounts.google.com/o/oauth2/v2/auth

    set token-url https://www.googleapis.com/oauth2/v4/token

    set client-id 49178883990-conasjq8hiero0rtc5olhk7c5719i36i.apps.googleusercontent.com

    set client-secret ENC VSiVjX6ZdFjBoDSjmOHBCYNeTAij3tbIR/4+kRF5g0U/B40FDbIGgDI/ZzrEmStXe0SG7GuYYizXOCyrXvncJHO5IX1hsX4WQXr/raBq6fe6Y0+rx74PXhUeGBdfLZsPMTrhPAx17Yncwq14Ry6pJnHclh8Lk3vMBY1kGQ==

    set http-mode POST

    set relay-mode enable

    set include-granted-scopes true

    set prompt consent

    set token-timeout 8888

    set scope-logout-url /logout

    config scope-list

    edit 1

    set scope-url https://www.googleapis.com/auth/blogger

    next

    end

    next

    end

    Previous
    Next