netscaler.adc.authenticationoauthaction module – Configuration for OAuth authentication action resource.

Note

This module is part of the netscaler.adc collection (version 2.6.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install netscaler.adc.

To use it in a playbook, specify: netscaler.adc.authenticationoauthaction.

New in netscaler.adc 2.0.0

Synopsis

  • Configuration for OAuth authentication action resource.

Parameters

Parameter

Comments

allowedalgorithms

any

Multivalued option to specify allowed token verification algorithms.

Choices:

  • "HS256"

  • "RS256"

  • "RS512"

api_path

string

Base NITRO API path.

Define only in case of an ADM service proxy call

Default: "nitro/v1/config"

attribute1

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute1

attribute10

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute10

attribute11

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute11

attribute12

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute12

attribute13

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute13

attribute14

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute14

attribute15

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute15

attribute16

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute16

attribute2

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute2

attribute3

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute3

attribute4

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute4

attribute5

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute5

attribute6

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute6

attribute7

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute7

attribute8

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute8

attribute9

any

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute9

attributes

any

List of attribute names separated by ‘,’ which needs to be extracted.

Note that preceding and trailing spaces will be removed.

Attribute name can be 127 bytes and total length of this string should not cross 1023 bytes.

These attributes have multi-value support separated by ‘,’ and stored as key-value pair in AAA session

audience

any

Audience for which token sent by Authorization server is applicable. This is typically entity name or url that represents the recipient

authentication

any

If authentication is disabled, password is not sent in the request.

Choices:

  • "ENABLED"

  • "DISABLED"

authorizationendpoint

string

Authorization endpoint/url to which unauthenticated user will be redirected. Citrix ADC redirects user to this endpoint by adding query parameters including clientid. If this parameter not specified then as default value we take Token Endpoint/URL value. Please note that Authorization Endpoint or Token Endpoint is mandatory for oauthAction

certendpoint

any

URL of the endpoint that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.

certfilepath

any

Path to the file that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.

clientid

string

Unique identity of the client/user who is getting authenticated. Authorization server infers client configuration using this ID

clientsecret

string

Secret string established by user and authorization server

defaultauthenticationgroup

any

This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

granttype

string

Grant type support. value can be code or password

Choices:

  • "CODE"

  • "PASSWORD"

graphendpoint

any

URL of the Graph API service to learn Enterprise Mobility Services (EMS) endpoints.

idtokendecryptendpoint

any

URL to which obtained idtoken will be posted to get a decrypted user identity. Encrypted idtoken will be obtained by posting OAuth token to token endpoint. In order to decrypt idtoken, Citrix ADC posts request to the URL configured

introspecturl

any

URL to which access token would be posted for validation

issuer

any

Identity of the server whose tokens are to be accepted.

managed_netscaler_instance_id

string

added in netscaler.adc 2.6.0

The ID of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_ip

string

added in netscaler.adc 2.6.0

The IP of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_name

string

added in netscaler.adc 2.6.0

The name of the managed NetScaler instance to which NetScaler Console

has to configure as a proxy server.

Define only in case of an ADM service proxy call

managed_netscaler_instance_password

string

added in netscaler.adc 2.6.0

The password of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

managed_netscaler_instance_username

string

added in netscaler.adc 2.6.0

The username of the managed NetScaler instance.

Define only in case of an ADM service proxy call

In Settings > Administration > System Configurations > Basic Settings,

if you select Prompt Credentials for Instance Login,

ensure to configure username and password of a managed instance.

metadataurl

any

Well-known configuration endpoint of the Authorization Server. Citrix ADC fetches server details from this endpoint.

name

any

Name for the OAuth Authentication action.

Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the profile is created.

The following requirement applies only to the Citrix ADC CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my authentication action” or ‘my authentication action’).

netscaler_console_as_proxy_server

boolean

added in netscaler.adc 2.6.0

The IP address of the NetScaler ADC appliance acting as a proxy server.

Define only in case of an ADM service proxy call

Choices:

  • false ← (default)

  • true

nitro_auth_token

string

The authentication token provided by a login operation.

nitro_pass

string

The password with which to authenticate to the NetScaler ADC node.

nitro_protocol

string

Which protocol to use when accessing the nitro API objects.

Choices:

  • "http"

  • "https" ← (default)

nitro_user

string

The username with which to authenticate to the NetScaler ADC node.

nsip

string / required

The ip address of the NetScaler ADC appliance where the nitro API calls will be made.

The port can be specified with the colon (:). E.g. 192.168.1.1:555.

oauthtype

any

Type of the OAuth implementation. Default value is generic implementation that is applicable for most deployments.

Choices:

  • "GENERIC"

  • "INTUNE"

  • "ATHENA"

pkce

any

Option to enable/disable PKCE flow during authentication.

Choices:

  • "ENABLED"

  • "DISABLED"

refreshinterval

any

Interval at which services are monitored for necessary configuration.

resourceuri

any

Resource URL for Oauth configuration.

save_config

boolean

If true the module will save the configuration on the NetScaler ADC node if it makes any changes.

The module will not save the configuration on the NetScaler ADC node if it made no changes.

Choices:

  • false ← (default)

  • true

skewtime

any

This option specifies the allowed clock skew in number of minutes that Citrix ADC allows on an incoming token. For example, if skewTime is 10, then token would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.

state

string

The state of the resource being configured by the module on the NetScaler ADC node.

When present, the resource will be added/updated configured according to the module’s parameters.

When absent, the resource will be deleted from the NetScaler ADC node.

When unset, the resource will be unset on the NetScaler ADC node.

Choices:

  • "present" ← (default)

  • "absent"

  • "unset"

tenantid

string

TenantID of the application. This is usually specific to providers such as Microsoft and usually refers to the deployment identifier.

tokenendpoint

string

URL to which OAuth token will be posted to verify its authenticity. User obtains this token from Authorization server upon successful authentication. Citrix ADC will validate presented token by posting it to the URL configured

tokenendpointauthmethod

any

Option to select the variant of token authentication method. This method is used while exchanging code with IdP.

Choices:

  • "client_secret_post"

  • "client_secret_jwt"

  • "private_key_jwt"

  • "client_secret_basic"

userinfourl

any

URL to which OAuth access token will be posted to obtain user information.

usernamefield

any

Attribute in the token from which username should be extracted.

validate_certs

boolean

If false, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates.

Choices:

  • false

  • true ← (default)

Notes

Note

Examples

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

changed

boolean

Indicates if any change is made by the module

Returned: always

Sample: true

diff

dictionary

Dictionary of before and after changes

Returned: always

Sample: {"after": {"key2": "pqr"}, "before": {"key1": "xyz"}, "prepared": "changes done"}

diff_list

list / elements=string

List of differences between the actual configured object and the configuration specified in the module

Returned: when changed

Sample: ["Attribute `key1` differs. Desired: (<class 'str'>) XYZ. Existing: (<class 'str'>) PQR"]

failed

boolean

Indicates if the module failed or not

Returned: always

Sample: false

loglines

list / elements=string

list of logged messages by the module

Returned: always

Sample: ["message 1", "message 2"]

Authors

  • Sumanth Lingappa (@sumanth-lingappa)