NetScaler OAuth token generation

[Kari Ruissalo]

Does anyone happen to have a sample of a HTTP POST how to get a Token from NetScaler OAuth IdP? With just basic authentication for starters... and some tips on how to configure the NetScaler AAA for it to work?

Also, does NetScaler support grant_type=password? Should we use grant_type=client_credentials instead?

I got a few steps forward by adding the Authorization header (basic), but if I'm trying HTTP POST to /oauth/idp/token with the following:

Quote

 

Headers

• Content-Type = application/x-www-form-urlencoded
• Authorization = Basic {base64-encoded creds}

Body

• grant_type = client_credentials
• client_id = something
• client_secret = something

 

I encoded the Basic auth header using UTF-8 (tried Unicode too didn't change anything). Getting a http 400 bad request response.
... I'm getting the following error in the ns.log:
OAUTHIDP: Client credentials ERROR: clientid or secreit or resource is absent

I'm looking in to replacing F5 Big-IP with NetScaler. With Big-IP they only needed to POST the following to get a Bearer token:

Quote

Headers

• Content-Type = application/x-www-form-urlencoded

Body

• grant_type = password
• username = userPricipalName
• password = {password}
• client_id = something

I'm testing this with Postman. Any tips are appreciated!

[Kari Ruissalo]

Added "resource=something" in to the request body and now I'm getting an access token. Unfortunately I would need to be able to support grant_type=password and extract user info in to the token also. 🤔

[Morten Kallesøe]

can you paste your ns.conf thats relevant to your setup?

[Kari Ruissalo]

Got this working. NetScaler OAuth IdP requires to have the "resource" attribute in the request body. Everything else was there already.

If anyone else is trying to find what grant types are supported on NetScaler OIDC, here goes:

authorization_code
password
refresh_token
client_credentials