Forum Discussion
Daniel_W__13795
Nimbostratus
NimbostratusAPM: OAUTH2 JWT Token with groups claim
Hello and happy new year 😉
We use APM as OAuth Authorization Server to create JWT token for apps.
One of our customers wants to use the MicroProfile JWT(MP-JWT) for his application, that needs som...
Rene_C_Nimbostratus
NimbostratusBump! Same question on my side, this is actually a mandatory feature.
Any possibility to do json arrays / lists in a claim?
Thanks!
Daniel_W_Cirrus
Okay, I now opened a support ticket and let you know about the result.
I believe this is possible (at least on <= 14.1) if you use an iRule event. Something like:
... set mygroups [ ACCESS::session data get "session.mygroups" ] append payload {,"mygroups":} "\[$mygroups\]" ...This is adapted from the example at: https://devcentral.f5.com/wiki/iRules.ACCESS__oauth.ashx
In my AP I have a variable assign with an expression of:
return {"group1","group2"}- Rene_C_
Hi,
yes, this is the easy part; but as we are not using the irule commands but the APM features directly to generate a JWT, i probably cant modify the resulting JWT inside an irule event?
Cheers, Rene
- Eric_Chen
Employee
In my case I had to remove the SSO Bearer Token config from the Access Policy and replace it with an iRule.
- Rene_C_
But that wont work when F5 is acting as Authorization server, since it will generate the JWT along with the refresh token through some black-box-magic. If there is any way to modify this generated JWT with an iRule, now this would make me quite happy, but i couldnt find any way to do this.
Also, just for reference, take care when using ACCESS:oauth sign, since it will generate the Token with Base64Uriencoding (without padding), which is different from the actual APM VE config, which will do base64encoding WITH padding for some obscure reason.
- Eric_Chen
Ah I see. Different use-case, same problem. I was seeing the same issue, but using APM for generating a Bearer token and not as the Authorization server, but the same issue occurs in both.
