Name for the OAuth Authentication action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the profile is created. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my authentication action" or 'my authentication action').
This is mandatory parameter.

Type of the OAuth implementation. Default value is generic implementation that is applicable for most deployments.
Default value = OAUTH_TYPE_GENERIC.

Authorization endpoint/url to which unauthenticated user will be redirected. Citrix ADC redirects user to this endpoint by adding query parameters including clientid. If this parameter not specified then as default value we take Token Endpoint/URL value. Please note that Authorization Endpoint or Token Endpoint is mandatory for oauthAction

URL to which OAuth token will be posted to verify its authenticity. User obtains this token from Authorization server upon successful authentication. Citrix ADC will validate presented token by posting it to the URL configured

URL to which obtained idtoken will be posted to get a decrypted user identity. Encrypted idtoken will be obtained by posting OAuth token to token endpoint. In order to decrypt idtoken, Citrix ADC posts request to the URL configured

Unique identity of the client/user who is getting authenticated. Authorization server infers client configuration using this ID

Secret string established by user and authorization server

This is the default group that is chosen when the authentication succeeds in addition to extracted groups.

Option to set/unset miscellaneous feature flags. Available values function as follows: * Base64Encode_Authorization_With_Padding - On setting this value, for endpoints (token and introspect), basic authorization header will be base64 encoded with padding. * EnableJWTRequest - By enabling this field, Authorisation request to IDP will have jwt signed 'request' parameter

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute1

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute2

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute3

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute4

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute5

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute6

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute7

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute8

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute9

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute10

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute11

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute12

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute13

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute14

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute15

Name of the attribute to be extracted from OAuth Token and to be stored in the attribute16

List of attribute names separated by ',' which needs to be extracted. Note that preceding and trailing spaces will be removed. Attribute name can be 127 bytes and total length of this string should not cross 1023 bytes. These attributes have multi-value support separated by ',' and stored as key-value pair in AAA session

TenantID of the application. This is usually specific to providers such as Microsoft and usually refers to the deployment identifier.

URL of the Graph API service to learn Enterprise Mobility Services (EMS) endpoints.

Interval at which services are monitored for necessary configuration.
Default value = 1440.

URL of the endpoint that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.

Audience for which token sent by Authorization server is applicable. This is typically entity name or url that represents the recipient

Attribute in the token from which username should be extracted.

This option specifies the allowed clock skew in number of minutes that Citrix ADC allows on an incoming token. For example, if skewTime is 10, then token would be valid from (current time - 10) min to (current time + 10) min, ie 20min in all.
Default value = 5.

Identity of the server whose tokens are to be accepted.

URL to which OAuth access token will be posted to obtain user information.

Path to the file that contains JWKs (Json Web Key) for JWT (Json Web Token) verification.

Grant type support. value can be code or password
Default value = GRANT_TYPE_CODE.

If authentication is disabled, password is not sent in the request.
Default value = ENABLED.

URL to which access token would be posted for validation

Multivalued option to specify allowed token verification algorithms.
Default value = OAUTH_ALG_ALL.

Option to enable/disable PKCE flow during authentication.
Default value = ENABLED.

Option to select the variant of token authentication method. This method is used while exchanging code with IdP.
Default value = OAUTH_CLIENT_SECRET_POST.

Well-known configuration endpoint of the Authorization Server. Citrix ADC fetches server details from this endpoint.

Resource URL for Oauth configuration.

Name-Value pairs of attributes to be inserted in request parameter. Configuration format is name=value_expr@@@name2=value2_expr@@@. '@@@' is used as delimiter between Name-Value pairs. name is a literal string whose value is 127 characters and does not contain '=' character. Value is advanced policy expression terminated by @@@ delimiter. Last value need not contain the delimiter.

The expression that will be evaluated to obtain IntuneDeviceId for compliance check against IntuneNAC device compliance endpoint. The expression is applicable when the OAuthType is INTUNE. The maximum length allowed to be used as IntuneDeviceId for the device compliance check from the computed response after the expression evaluation is 41. Examples: add authentication oauthAction -intuneDeviceIdExpression 'AAA.LOGIN.INTUNEURI.AFTER_STR("IntuneDeviceId://")'