Forum Discussion
APM & Azure AD Oauth : using JWT values
Hello,
I've successfully setup Azure AD Oauth with APM using this guide : https://my.f5.com/manage/s/article/K53313351
After logging in, I see (with the Oauth trace plugin for chrome) that Azure AD returns a JWT containing my username, firstname, lastname, preffered_username ect.
I'd like to use those information to identify the session in APM (currently the sessions doesn't display any username), and also send some of those values back to the app.
What are the required steps to map the preffered_username in the JWT as the session username in APM ?
Thanks for your help !
Ok found the solution.
In the access policy, I forgot to add "user.read profile" in the scope for the Oauth block.
Now I can see all JWT values in the session variables.
The JWT claims are accessible though APM session variables, e.g. session.oauth.client.last.id_token.unique_name. Simply look at the session variables and use this directly or assign it through a variable assign agent to an another variable.
Thanks Juergen for your reply.
I never saw any values of the JWT in the session variables. Which is kinda weird.
So when digging further, I can see that in fact, no JWT is returned during a normal authentication.
Which steps needs to be done on APM to request a JWT ?
The flow is the following (output from OauthFlows on chrome) (data has been obfuscated for privacy) :
Request 1 {
Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
date: "2023-04-20T06:28:34.747Z",
originator: "https://app.myhost.com/",
redirectURL: {
baseURL: "/my.policy..."
},
postData: "No POST"
}
Request 2 {
Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
date: "2023-04-20T06:28:34.787Z",
originator: "https://app.myhost.com/my.policy",
redirectURL: {
baseURL: "https://login.microsoftonline.com:443/<<tenant_id>>/oauth2/v2.0/a...",
client_id: "<<client_id>>",
redirect_uri: "https://app.myhost.com/oauth/client/redirect",
response_type: "code",
scope: "openid offline_access",
state: "scrambled",
nonce: "scrambled"
},
postData: "No POST"
}
Request 3 {
Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
date: "2023-04-20T06:28:34.810Z",
originator: "https://login.microsoftonline.com/<<tenant_id>>/oauth2/v2.0/authorize?client_id=<<client_id>>&redirect_uri=https%3A%2F%2Fapp.myhost.com%2Foauth%2Fclient%2Fredirect&response_type=code&scope=openid%20offline_access&state=scrambled&nonce=scrambled",
redirectURL: {
baseURL: "https://app.myhost.com/oauth/client/redirect?code=0.AQUAJPdyo7LAoE6r-w64xvhOQMUZCEwqUG...",
code: "0.AQUAJPdyoscrambleda_Y2JLGEMOP7_jvauChDoYvhuV0SNaiH4cL0y9BdPmKosg2fIHNO6LDH6aeSVi0o3-shNW7IXwftrCEnu8n39u38ejKGtASR82iwB9VUpzQZRxMnaXRYosKIxn9DH_g1j_kN11SnP6CTYFPEbqVB0TCFqLrCUdoMbu1fZwzPhXFLjI8FlfBrw51GKA_MD4raTG96bHsg4OZ1v0PzHTIH_IgZiUOiqLgWJN_YTamV5PNLCrnYL7hKgQ",
state: "5bPJXhN6AfzkpnznAa0accg",
session_state: "11cdd02d-b7aa-4c0c-a851-e88feaa4f419"
},
postData: "No POST"
}
Request 4 {
Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
date: "2023-04-20T06:28:34.971Z",
originator: "https://app.myhost.com/oauth/client/redirect?code=0.AQUAJPdyo7LAoE6r-w64xvhOQMUZCEwqUGlNo3FLpQ_p9xUFACI.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P88PlRR4vySF8NkEu5Hw3Vom43JLKD9SeEQIEsseacj5ONBwAhuwZHvV485aKW2NL5XHzFhY_-Oscrambled1-e88feaa4f419",
redirectURL: {
baseURL: "/..."
},
postData: "No POST"
}If more information are required on the configuration on the f5/apm or azure ad feel free to ask.
Thanks in advance for your help
Ok found the solution.
In the access policy, I forgot to add "user.read profile" in the scope for the Oauth block.
Now I can see all JWT values in the session variables.
- southern_nordicAltocumulus
Where exactly did you add this "user.read profile"? I am usign the same guide and my troubleshooting shows the token also being rejected or flow being denied.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com