Forum Discussion
Daniel_W__13795
Nimbostratus
NimbostratusAPM: OAUTH2 JWT Token with groups claim
Hello and happy new year 😉
We use APM as OAuth Authorization Server to create JWT token for apps. One of our customers wants to use the MicroProfile JWT(MP-JWT) for his application, that needs some specific claims: https://github.com/eclipse/microprofile-jwt-auth/blob/master/spec/src/main/asciidoc/interoperability.asciidoc
One requirement is to encode the groups claim in JSON array:
"groups": ["red-group", "green-group", "admin-group", "admin"]
We now try to set the claim with groups from the Active Directory. With an iRule, I filtered the AD groups (from memberOf) and set a new APM variable (session.custom.groups) with this value:
["red-group", "green-group", "admin-group", "admin"]
When I now add a claim groups with %{session.custom.groups} as value, I see that string in my JWT token:
"groups": "[\"red-group\", \"green-group\", \"admin-group\", \"admin\"]"
So the value is escaped and has is in quotation marks.
Is there any chance to send claims as JSON array?
Any help would be appreciated.
Rene_C__129338Bump! Same question on my side, this is actually a mandatory feature.
Any possibility to do json arrays / lists in a claim?
Thanks!
Daniel_W_Cirrus
Okay, I now opened a support ticket and let you know about the result.
Peter_Jacob_Sl1Hej Daniel,
I have a simular problem,
Did you get information as a result of your ticket that you can share?
Regards,
Peter
I believe this is possible (at least on <= 14.1) if you use an iRule event. Something like:
¬â€
... set mygroups [ ACCESS::session data get "session.mygroups" ] append payload {,"mygroups":} "\[$mygroups\]" ...This is adapted from the example at: https://clouddocs.f5.com/api/irules/ACCESS__oauth.html
¬â€
In my AP I have a variable assign with an expression of:
¬â€
return {"group1","group2"}- Rene_C__129338
Hi,
yes, this is the easy part; but as we are not using the irule commands but the APM features directly to generate a JWT, i probably cant modify the resulting JWT inside an irule event?
Cheers, Rene
- Rene_C_
Bump! Same question on my side, this is actually a mandatory feature.
Any possibility to do json arrays / lists in a claim?
Thanks!
- Daniel_W_
Okay, I now opened a support ticket and let you know about the result.
I believe this is possible (at least on <= 14.1) if you use an iRule event. Something like:
... set mygroups [ ACCESS::session data get "session.mygroups" ] append payload {,"mygroups":} "\[$mygroups\]" ...This is adapted from the example at: https://devcentral.f5.com/wiki/iRules.ACCESS__oauth.ashx
In my AP I have a variable assign with an expression of:
return {"group1","group2"}- Rene_C_
Hi,
yes, this is the easy part; but as we are not using the irule commands but the APM features directly to generate a JWT, i probably cant modify the resulting JWT inside an irule event?
Cheers, Rene
MarvinCirrocumulus
Hi Daniel, I am looking for something similar as well that F5 should provide JWT wherin we have the claims (attributes) values. I ma new to this but I used the guided config and setup F5 as the authorization server, with Postman I can succesfully retrieve the access token and refresh token. I configured the claims in the application on the F5.
How do I actually retreive those values from F5, do I have to provide the access token to F5 as authorization header to be able to retreive this information or should it already be included shile receiving the access token? How to verify this with Postman (I am lacking oauth test APP). Could you eleborate on this and what about this RFE is this fixed now? Thanks a lot
- Daniel_W_
Hi Marvin,
you can retrieve the claims in the JWT access token.
You need to add token_content_type=jwt to the request and enable JWT in OAUTH profile and Client ID
Example:
https://sso.test.com/f5-oauth2/v1/authorize?redirect_uri=https://localhost&response_type=code&client_id=xyz&token_content_type=jwt
- Marvin
Hi Daniel, ok thanks that makes sense so you just use GET method not POST? I just tested and F5 replies to the redirect URL with the Access token appended but I dont see any claims info. Inside the oauth profile and client application JWT checkbox is enabled, any thoughts left?
Jad_Tabbara__J1Cirrostratus
Solution provided by F5
OAUTH2 JWT Token with custom groups claim (f5.com)
Evgeny_UdaltsovCreate Claime `groups` with value, set type `custom`:
[%{session.user.custom.memberOf}]Create iRule and assingn it to the VS with your Access Policy:
# memberOf String Example: "| CN=RedGroup_Name,OU=_Groups,DC=example,DC=com | CN=GreenGroup_Name,OU=_Groups,DC=example,DC=com | ..." when ACCESS_POLICY_AGENT_EVENT { if {[ACCESS::policy agent_id] eq "memberOfCustomization"} { set result {} set pattern "Any Group's Filter Pattern" # Get All User's Groups from the Session Var (String) set memberOf [ACCESS::session data get "session.ldap.last.attr.memberOf"] # Get List of "canonicalName" Strings set groups [regexp -all -inline "CN=.*?(?=,)" $memberOf] foreach elem $groups { # Get Groups by Pattern if {[string first $pattern $elem] != -1} { # Replace 'CN=' to Nothing and Append Group to the 'result' List append result \"[regsub "CN=" $elem ""]\", } } ACCESS::session data set session.user.custom.memberOf $result } }Inside your Access Policy add `iRule Event` block with `memberOfCustomization` EventID before your `OAuth Authorization` block.
APM ver 16.1.0
Hope it will be helpful 🙂
