OAuth2 Authentication
Support for OAuth2 authentication allows the processing of authentication requests
from north-bound interfaces using an OAuth2 token.
Overview
- OAuth2 Authentication is supported only for SLX 9250.
- The SLX device uses a PKI
certificate to validate the incoming token.
- Use the crypto
import command with the oauth2pkicert option to
import the OAuth2 PKI certificate.
- Use the aaa authentication login oauth2 [local |
local-auth-fallback] command to configure the OAuth2 mode of
authentication.
- OAuth2 tokens are supported by
the Bearer Token field in the HTTPS authorization header.
- The user command in the
audit log shows the xpath format for NETCONF configurations. For example:
SLX# show logging auditlog
0 AUDIT, 2020/02/20-22:45:57 (GMT), [DCM-1006], INFO, DCMCFG, admin/admin/134.141.219.78/ssh/netconf,, SLX, Event: database commit transaction, Status: Succeeded, User command: /brocade-interface:interface/ethernet[name="0/26"]/switchport-basic/basic.
1 AUDIT, 2020/02/20-22:52:23 (GMT), [DCM-1018], WARNING, DCMCFG, admin/admin/134.141.219.78/ssh/netconf,, SLX, Event: database commit transaction, Status: %% Error: Remove L3 configuration from the interface, User command: /brocade-interface:interface/ethernet[name="0/1"]/switchport-basic/basic, /brocade-interface:interface/ethernet[name="0/2"]/switchport-basic/basic, /brocade-interface:inte.
Considerations
- Setting the AAA authentication
mode to OAuth2 is applicable to the SSH (NETCONF) and RESTCONF login methods.
Telnet login using the OAuth2 token always fails because it is a non-secure
means of transferring the OAuth2 token. As a best practice, set the secondary
source of authentication in the aaa authentication
command to always fall back to local authentication.
- Unlike other remote server
authentication mode of operations, OAuth2 with local or
local-auth-fallback always falls back to the local mode
of authentication if the primary source fails.
- By default, any role from the
OAuth2 token is mapped to the admin role in the SLX device.
- Only RS256-based OAuth2 token is
supported.
- There is no expiration check in
the OAuth2 token.
- You can import only one OAuth2
PKI CA certificate.
- The maximum token length allowed
is 1024 bytes.
- The supported token signature
algorithm is RSA SHA-256.