Product Documentation

OAuth Authentication

Apr 01, 2018

The NetScaler AAA-TM feature now supports OAuth and OpenID-Connect mechanisms for authenticating and authorizing users to applications that are compliant with “OpenID connect 2.0”.

OAuth subsystem supports both authorization code, implicit, and hybrid flows specified by OpenID specification. NetScaler supports inline verification of id_token by polling the certificates of the SAML IdP or by using the certificates configured locally in a file.

A major advantage of using the OAuth and OpenID-Connect mechanisms is that the user information is not sent to the hosted applications and therefore the risk of identity theft is considerably reduced.

The NetScaler appliance configured for NetScaler AAA now accepts incoming tokens that are signed using HMAC HS256 algorithm. In addition, the public keys of the SAML Identity Provider (IdP) are read from a file, instead of learning from an URL endpoint.

In the NetScaler implementation, the application to be accessed is represented by the AAA-TM virtual server. So, to configure OAuth, you must configure an OAuth policy which must then be associated with a AAA-TM virtual server.


NetScaler also allows for the administrator to specify up to 16 attributes to be extracted from the id_token.

To configure OAuth by using the configuration utilty:

  1. Configure the OAuth action and policy.
    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with OAuth as the action type, and associate the required OAuth action with the policy.

  2. Associate the OAuth policy with an authentication virtual server.
    Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the OAuth policy with the authentication virtual server.


Attributes (1 to 16) can be extracted in the OAuth response. Currently these attributes are not evalauted. They are added for the future reference.

To configure OAuth by using the command line interface:

  1. Define an OAuth action.
    add authentication OAuthAction <name> -authorizationEndpoint <URL> -tokenEndpoint <URL> [-idtokenDecryptEndpoint <URL>] -clientID <string> -clientSecret <string> [-defaultAuthenticationGroup <string>][-tenantID <string>] [-GraphEndpoint <string>][-refreshInterval <positive_integer>] [-CertEndpoint <string>][-audience <string>] [-userNameField <string>] [-skewTime <mins>][-issuer <string>] [-Attribute1 <string>] [-Attribute2 <string>] [-Attribute3 <string>] …
  2. Associate the action with an advanced authentication policy.
    > add authentication Policy <name> -rule <expression> -action <string>


add authentication oauthAction a -authorizationEndpoint -tokenEndpoint -clientiD sadf -clientsecret df

For more information on authentication OAuthAction parameters, see “authentication OAuthAction”. 

Note: When a certEndpoint is specified, the NetScaler appliance polls that endpoint at the configured frequency to learn the keys. To configure a NetScaler to read the local file and parse keys from that file, a new configuration option is introduced as follows.

set authentication OAuthAction <> -CertFilePath <path to local file with jwks>