Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.0.3 Administration Guide
    7.0.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    OAuth Authorization

    OAuth Authorization

    The OAuth 2.0 authorization framework is a protocol that allows you to authorize a third-party web site or application access to your protected resources, without necessarily revealing your long-term credentials or even your identity. For example, when users access your application, they can log in with their Google account.

    FortiWeb supports OAuth 2.0 for front-end authentication, and it works as an authorization client or a resource server. The authorization process works as below.

    When FortiWeb works as an authorization client:

    1. Users initiate the access request to FortiWeb.
    2. FortiWeb returns the OAuth login page.
    3. User chooses an OAuth provider.
    4. FortiWeb redirects the access request to the third party Authentication Server.
    5. The third party Authentication Server performs the authentication and authorization interactions, then redirects the access request back to FortiWeb with an authorization code. The token and username will be obtained in the code.
    6. FortiWeb redirects user to the original URL with cookie.
    7. User access the URL with cookie, and the token should be refreshed before it expires.
    8. If authentication failure occurs, FortiWeb returns return error page to the user.

    When FortiWeb works as a resource server:

    1. Users initiate the access request to FortiWeb.
    2. FortiWeb extracts token from Authorization header, then validates the token with the third party Authentication Server to confirm this is a legitimate user and try to get the username. If valid, FortiWeb forwards the request to the back-end server. If invalid, will return error page to the user.

    OAuth 2.0 Authorization on FortiWeb requires you to configure OAuth servers and server pool, then select this server pool in a site publish rule.

    Step 1 - Creating an OAuth server

    FortiWeb supports front-end authentication with Google and Facebook authentication server.

    Perform the following steps to create OAuth requests:

    1. Go to User > OAuth Server, Select the OAuth Request tab.
    2. FortiWeb has pre-defined the commonly seen Google, Facebook, and FortiAuthenticator OAuth requests for user authentication. You can Create New or click Clone to clone a request so that you can tailor it according to your needs. Configure the following settings.
      NameEnter a name for the request.
      Request Type

      OAuth request types, including:

      • authorization (default)

      • token

      • refresh

      • validation

      • userinfo

      EndpointOAuth request URL.
      Method

      Request method:

      • get (default)

      • post

      User Key

      Indicate username keyword in response.

      Content type

      Select the request content type.

      Custom Headers

      Enter the header name and value.

      Custom ParametersEnter the parameter name and value.
    3. Click OK.
    4. Go to User > OAuth Server, Select the OAuth Server tab. Click Create New or click Clone to clone a server configuration so that you can tailor it. Configure the following settings.
      NameEnter a name for the server.
      ModeSelect whether FortiWeb works as an authorization client or a resource server, or both.
      ScopeEnter the scope field for OAuth.
      Client ID/Client SecretA client credential. Assigned by authorization server.
      Redirection EndpointRedirection URL back to FortiWeb.
      Authorization RequestThe authorization request created in the OAuth Request tab.

      Token Request

      The token request created in the OAuth Request tab.

      Refresh Request

      The refresh request created in the OAuth Request tab.

      Valid Request

      The valid request created in the OAuth Request tab.

      User Info. Request

      The user info request created in the OAuth Request tab.

    Step 2 - Creating an OAuth Server pool

    1. Go to Application Delivery > Site Publish > OAuth Server pool.
    2. Click Create New.
    3. Enter a name for the server pool.
    4. Select whether the server works in Client mode or Resource Server mode, or both.
      If you choose the resource server mode, please make sure you have a device in front of FortiWeb to do the interaction with third party Authentication Server.
    5. Click OK.
    6. Click Create New to add server in the pool.
    7. Enter a name for the OAuth server, then select the server you have created in Step 1 - Creating an OAuth server.
    8. Click OK.

    Step 3 - Create a Site Publish rule for OAuth Authentication

    1. Go to Application Delivery > Site Publish > Site Publish.
    2. Refer to Offloaded authentication and optional SSO configuration for how to create a Site Publish rule and policy. For the Client Authentication Method, select OAuth Authentication; For OAuth Server Pool, select the OAuth server pool you have created.

    Previous
    Next

    OAuth Authorization

    OAuth Authorization

    The OAuth 2.0 authorization framework is a protocol that allows you to authorize a third-party web site or application access to your protected resources, without necessarily revealing your long-term credentials or even your identity. For example, when users access your application, they can log in with their Google account.

    FortiWeb supports OAuth 2.0 for front-end authentication, and it works as an authorization client or a resource server. The authorization process works as below.

    When FortiWeb works as an authorization client:

    1. Users initiate the access request to FortiWeb.
    2. FortiWeb returns the OAuth login page.
    3. User chooses an OAuth provider.
    4. FortiWeb redirects the access request to the third party Authentication Server.
    5. The third party Authentication Server performs the authentication and authorization interactions, then redirects the access request back to FortiWeb with an authorization code. The token and username will be obtained in the code.
    6. FortiWeb redirects user to the original URL with cookie.
    7. User access the URL with cookie, and the token should be refreshed before it expires.
    8. If authentication failure occurs, FortiWeb returns return error page to the user.

    When FortiWeb works as a resource server:

    1. Users initiate the access request to FortiWeb.
    2. FortiWeb extracts token from Authorization header, then validates the token with the third party Authentication Server to confirm this is a legitimate user and try to get the username. If valid, FortiWeb forwards the request to the back-end server. If invalid, will return error page to the user.

    OAuth 2.0 Authorization on FortiWeb requires you to configure OAuth servers and server pool, then select this server pool in a site publish rule.

    Step 1 - Creating an OAuth server

    FortiWeb supports front-end authentication with Google and Facebook authentication server.

    Perform the following steps to create OAuth requests:

    1. Go to User > OAuth Server, Select the OAuth Request tab.
    2. FortiWeb has pre-defined the commonly seen Google, Facebook, and FortiAuthenticator OAuth requests for user authentication. You can Create New or click Clone to clone a request so that you can tailor it according to your needs. Configure the following settings.
      NameEnter a name for the request.
      Request Type

      OAuth request types, including:

      • authorization (default)

      • token

      • refresh

      • validation

      • userinfo

      EndpointOAuth request URL.
      Method

      Request method:

      • get (default)

      • post

      User Key

      Indicate username keyword in response.

      Content type

      Select the request content type.

      Custom Headers

      Enter the header name and value.

      Custom ParametersEnter the parameter name and value.
    3. Click OK.
    4. Go to User > OAuth Server, Select the OAuth Server tab. Click Create New or click Clone to clone a server configuration so that you can tailor it. Configure the following settings.
      NameEnter a name for the server.
      ModeSelect whether FortiWeb works as an authorization client or a resource server, or both.
      ScopeEnter the scope field for OAuth.
      Client ID/Client SecretA client credential. Assigned by authorization server.
      Redirection EndpointRedirection URL back to FortiWeb.
      Authorization RequestThe authorization request created in the OAuth Request tab.

      Token Request

      The token request created in the OAuth Request tab.

      Refresh Request

      The refresh request created in the OAuth Request tab.

      Valid Request

      The valid request created in the OAuth Request tab.

      User Info. Request

      The user info request created in the OAuth Request tab.

    Step 2 - Creating an OAuth Server pool

    1. Go to Application Delivery > Site Publish > OAuth Server pool.
    2. Click Create New.
    3. Enter a name for the server pool.
    4. Select whether the server works in Client mode or Resource Server mode, or both.
      If you choose the resource server mode, please make sure you have a device in front of FortiWeb to do the interaction with third party Authentication Server.
    5. Click OK.
    6. Click Create New to add server in the pool.
    7. Enter a name for the OAuth server, then select the server you have created in Step 1 - Creating an OAuth server.
    8. Click OK.

    Step 3 - Create a Site Publish rule for OAuth Authentication

    1. Go to Application Delivery > Site Publish > Site Publish.
    2. Refer to Offloaded authentication and optional SSO configuration for how to create a Site Publish rule and policy. For the Client Authentication Method, select OAuth Authentication; For OAuth Server Pool, select the OAuth server pool you have created.

    Previous
    Next