Forum Discussion

Erich_R_'s avatar
Icon for Nimbostratus rankNimbostratus
Jan 17, 2023

APM Oauth AS Opaque Token Introspection

Good afternoon. I have a token introspection response that looks like this. I would like the username to not be prepended with the APM access profile name (/Common/oauth.). any ideas on how I can achieve this? I would like it to just be bobsmith. Thanks in advance.

or better yet. add my own parameters to the introspection response.








7 Replies

  • This is not real easy, but it is possible. There are two issues to contend with:

    1- The built-in OAuth response cannot be modified directly inside of the configuration because the introspect response is hard-coded.

    2- iRules cannot be applied directly to an APM virtual to modify its own self-response (such as logon pages, SAML, OAuth, etc). You can work around this by removing the clientSSL profile from the APM virtual and use an intremediate virtual server. You can think of it a little like "self SSL offload", but instead of using a pool, you use the iRule "virtual" command to switch the switch the flow to the APM VS. Then you can modify the response payload. This is the same issue faced in this old SAML DevCentral question:

    So basically, you:

    1. Remove the clientSSL profile from your APM OAuth AS virtual and change its IP address to another value.
    2. Create another virtual with the old IP of the APM Oauth AS using the clientSSL profile.
    3. Customize (the regex in the HTTP_RESPONSE_DATA event and the name of the OAuth virtual), then apply the below iRule. You could change the code here to do whatever you want, though you won't have any access to the APM data (ACCESS::session and friends) from the intermediate virtual because it has no access profile, by design.
    4. Watch the APM and LTM logs while testing to correct any errors: tail -f /var/log/ltm /var/log/apm


    when RULE_INIT {
    # Set below value to be the name of your OAuth AS virtual server
    # After testing, remove or comment out all the log statements below to avoid clutter
    set static::virtual_OAuth_server "/Common/"

    when HTTP_REQUEST {
    log local0. "[HTTP::host] [HTTP::method] [HTTP::uri]"

    set uri [HTTP::uri]
    set method [HTTP::method]

    if {$method equals "POST" and $uri equals "/f5-oauth2/v1/introspect"} {
    set is_introspect 1
    } else {
    log local0. "Not an introspect request"
    virtual $static::virtual_OAuth_server

    when HTTP_RESPONSE {
    log local0. "response"
    if { [info exists "is_introspect"] } {
    if { [HTTP::header value Content-Length] <= 1048576 } {
    set content_length [HTTP::header value Content-Length]
    } else {
    set content_length 1048576
    if { $content_length > 0 } {
    HTTP::collect $content_length
    log local0. "response content collected: $content_length"
    } else {
    log local0. "cannot collect the content, length: $content_length"

    log local0. "response data"
    if { [info exists "is_introspect"] } {

    # Put a regex below that represents the replacement you want to apply to APM's introspection response
    # Any normal TCL string manipulation can be applied here
    regsub "Common" [HTTP::payload] "Common-Replaced" fixeddata
    log "Replacing payload with fixed data."
    HTTP::payload replace 0 $content_length $fixeddata


    • Erich_R_'s avatar
      Icon for Nimbostratus rankNimbostratus

      Thank you for the detailed response. I appreciate it. I may have to resort to this if the RS cannot parse it out. I also included the username as a scope name with the %{session.logon.last.username} as the value. Maybe they can pull that out to match the user. Thanks again.

      • Lucas_Thompson's avatar
        Icon for Employee rankEmployee

        No problem, glad to help. It's a complicated issue. APM is designed to support multi-tenancy so there are a lot of areas where there are seemingly unnecessary things (like "/Common") prepended to object names. 

  • Hi Erich_R_  - I've asked one of my colleagues to stop by this thread since you haven't gotten an answer from the community yet. 

    • Erich_R_'s avatar
      Icon for Nimbostratus rankNimbostratus

      manual. Not sure why f5 has to be different from others and prepend the access policy name. I may have to ask the RS to strip it off. I know that it is not an identity token, but the RS needs to perform a user match on their side to determine which client submitted the request. Thanks.

  • Depending on what you trying to achieve, it could be easier to simple strip /Common/oauth. from the username with a VPE variable assign.