Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
ddsouza_FTNT
Staff
Staff

Created on ‎11-28-2022 10:43 PM Edited on ‎11-28-2022 10:44 PM By Community Manager

Article Id 231131

Technical Tip: How to configure Oauth2.0 Based Client Authentication

Description

 

This article describes how to configure Oauth2.0 Based Client Authentication on FortiWeb.

 

Scope

 

FortiWeb 7.0 GA and above.

 

Solution

 

The OAuth 2.0 authorization framework is a protocol that allows authorizing a third-party web site or application access to the protected resources without necessarily revealing the long-term credentials or even the identity.

For example, when users access the application, it is possible to log in with a Google account.

FortiWeb supports OAuth 2.0 for front-end authentication, and it works as an authorization client or a resource server.

 

Configuration:

1) Go to User -> OAuth Server. Create a Google or Facebook OAuth server entry by Cloning a predefined item. In this example, google OAuth Server is used as the OAuth Server.

 

ddsouza_FTNT_0-1669667825533.png

 

Set the relevant Client ID, Client Secret & Redirection Endpoint.

 

ddsouza_FTNT_1-1669667869465.png

 

ddsouza_FTNT_2-1669668258730.png

 

Note.

The Redirection Endpoint MUST match Published Site & Path in the Site Publish Rule (3)) otherwise, Site Publish cannot capture the request.

 

2) Go to Application Delivery -> Site Publish -> OAuth Server Pool and create an OAuth Server Pool. Make sure the ‘Oauth Server Name’ defined is matching with the ;sph_oauth_server' value in the OAuth Login Page.

 

ddsouza_FTNT_6-1669668337335.png

 

ddsouza_FTNT_5-1669668331188.png

 

3) Go to Application Delivery -> Site Publish and configure Site Publish.

 

ddsouza_FTNT_7-1669668352311.png

 

ddsouza_FTNT_8-1669668361448.png

 

4) Call the Site Publish Policy in the Web Protection Profile applied to the Server Policy.

 

After Configuration:

The client gets the Following Replacement page while accessing the Site Publish Protected website for the first time (Without presenting Auth Bearer token in the Request).

 

ddsouza_FTNT_0-1669669651358.png

 

Upon Selecting the Oauth Provider, the Client will be redirected to the AS. In this example, it is Google Auth. 

 

ddsouza_FTNT_1-1669669717958.png

 

After successful authentication with the Google Auth, the Client will be redirected back to the Origin website with an Auth Code.

 FortiWeb extracts the code and then requests for token followed by FWB requesting for the username to the Google Oauth Server.

Once this verification passes, Fortiweb will forward the requests to the Real Server. The username will be recorded in the Traffic log as visible below.

 

ddsouza_FTNT_0-1669670398971.png

3163
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.