/
How to Configure OAuth2.0 Authentication

How to Configure OAuth2.0 Authentication

OAuth 2.0 stands for “Open Authorization” and is an open standard for access delegation. Unlike many other protocols, OAuth 2.0 is not an authentication, but rather an authorization protocol. As such, it is designed to allow a website or an application to access a limited set of resources hosted by other web apps on behalf of a user.

Granting access to protected resources on behalf of a user means that there are instances involved that intermediate between the user's identity in terms of his credentials (user name/password), a client (i.e., client app) which acts on behalf of this user, and the resources he requires access to.

OAuth2 defines essential components as part of its overall protocol:

  • User: A human that can be identified by his user name and password.

  • Client: The client is usually an application that requires access to specific, protected resources on behalf of the user.

  • Authorization Server: The authorization server manages the access and issues the necessary access token as a substitute for the user's credentials. The validity of such tokens can be limited. Commonly known examples for such servers are Azure Entra ID, Octa, and GitHub.

  • Resource Owner: This is the data owning server that can grant access to a specific subset of his protected resources.

 

oauth20_information_flow.png

The Barracuda CloudGen Firewall's role is to control the information flow and the access to the resources based on the token provided by the authorization server.

Note that the previously mentioned authentication providers GitHub, Entra, and Okta are also presets in the configuration window of the OAuth2.0 authentication and can serve as an example for setting up similar providers.

 

Configuration Granularity for OAuth2.0

Currently, depending on the Configuration Mode in Barracuda Firewall Admin, OAuth2.0 provides the following two options:

  • Basic Mode: Basic configuration of the authentication provider and permitted users.

  • Advanced Mode: Option for a more detailed configuration of the OAuth2 protocol flow.

The following instructions describe how to configure OAuth2.0 on the CloudGen Firewall according to these two modes.

 

How to Configure OAuth2.0 for Providers and Permitted Users (Firewall Admin: Basic Configuration Mode)

To configure OAuth2.0, perform the following steps:

  1. Go to CONFIGURATION > Config Tree > Infrastructure Service > Authentication Service > OAuth2 Authentication.

  2. Click Lock.

  3. Ensure that Firewall Admin Configuration Mode is set to Basic mode.

  4. Select Yes from the menu list for Activate Scheme.

  5. Click the green '+' for adding a new authentication provider.

  6. The Authentication provider window is displayed.

  7. Select one of the preset authentication providers from the list for Authentication provider.

    1. The listed authentication providers differ in the parameters necessary for authentication.

Auth. Provider

Required Entry Field

GitHub

Entra ID

Okta

Client ID

Yes

Yes

Yes

Tenant ID

No

Yes

No

Domain

No

No

Yes

Client Secret

Yes

No

Yes

  1. Option #1: GitHub

    1. For Client ID – Enter the ID for your client.

    2. For Client Secret – Enter the client secret for New and also enter this client secret for Confirm.

  2. Option #2: Entra ID

    1. For Client ID – Enter the ID for your client.

    2. For Tenant ID – Enter the ID for your tenant.

  3. Option #3: Okta

    1. For Client ID – Enter the ID for your client.

    2. For Domain – Enter the name for your domain.

    3. For Client Secret – Enter the client secret for New and also enter this client secret for Confirm.

  4. Finally, add the information for the following two fields. These fields apply to each options from above:

    1. Redirect URL – Enter the OAuth2 redirect URL, e.g., http://192.168.123.1, https://example.com/oauth2/callback

    2. Scope – Enter the scope. Scopes limit access for OAuth tokens and let you specify exactly what type of access you need. No additional permission is granted beyond that which the user already has.

  5. Adjust the value for Auto Logout After [h] if necessary. The default value is 12h.

  6. Click OK to confirm your configuration.

  7. For Permitted users, click the '+' for adding permitted users to the list.

  8. Click Send Changes/Activate to activate your configuration.

config_window_auth2_configuration_basic_mode.png

 

How to Configure Additional Information for Custom Authorization Providers (Firewall Admin: Advanced Configuration Mode)

To configure additional OAuth2.0 information for custom authorization providers, perform the following steps:

  1. Go to CONFIGURATION > Config Tree > Infrastructure Service > Authentication Service > OAuth2 Authentication.

  2. In the left menu area, expand Configuration Mode.

  3. Switch to Advanced.

  4. Click Lock.

  5. Configure all fields according to the basic configuration mode as described above (Pt.4 - Pt.13).

config_window_auth2_configuration_advanced_mode.png

  1. For Custom Authorization Providers, click the '+' to configure details for redirection, user request URLs, and access tokens.

  2. The Custom Authorization Provider window is displayed.

  3. Enter the name for the configuration details and click OK.

  4. The configuration window is displayed.

Note that the tiny ‘pencil’ symbol left to an edit field’s label indicates that the related information has been added manually to the collective configuration.

  1. Fill out the configuration fields:

    1. Redirect URL – Enter your specific redirection URL, e.g. "https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize?client_id={clientID}&response_type=code&redirect_uri={redirectURI}&scope={scope}&state={state}"

    2. Username Request URL – Enter the URL for the username request.

    3. Username Request headers – If specific headers must be applied, enter a header by clicking the green '+' above the section list.

    4. Username key for response – Enter the key to find the user name in the response from the server.

    5. Access Token Request URL – Enter the URL for exchanging the authorization code to the access token, e.g., https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/toke

    6. Access Token request headers – Enter the headers for the URL responsible for exchanging the authorization code to the access token, e.g., client_id={clientID}&grant_type=authorization_code&code={authorizationCode}&redirect_uri={redirectURI}&scope=openid profile offline_access {scope}

    7. Authentication – Enter the authentication string if requested by the provider.

    8. Auto Logout After [h] – Enter the expiration time after which an automated logout shall be performed.

config_window_custom_auth_provider.png

  1. Click OK.

  2. If you want to add another entry to the list, repeat all steps beginning with step 6. above.

  3. Click Send Changes/Activate.

 

 

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.