Forum Discussion
Olivier_Beytrison
Cirrus
CirrusAPM/OAuth2 : auto apply changes made by discovery
Hi, I've setup OAuth2 to Azure EntraID following this documentation. It works well but I'm only facing a serious issue. In the OAuth provider configuration, I've enabled the discovery job to run on...
Hi Lucas,
Small update on the case. Engineering has been able to solve Issue with an engineering hotfix for 17.1.1.4
ID1293805-1: Access policies not in Partition Common are not applied in auto discovery process
Since then the issue has been fixed !
Thanks again for your help at the beginning of this case!
Regards,
Olivier
Olivier_BeytrisonCirrus
CirrusHi Lucas,
Thanks for this very helpful answer.
So for example this morning at 06:55 the discovery process updated the configuration. (I also run a diff of the config on my f5 every 15 minutes and any change are reported by mail and in a git repository).
In the logs I found :
[I][2402045][23 Aug 2024 06:55:15 UTC][8100/tm/access/oidc/discover OIDCDiscoverTaskCollectionWorker] Downloading OpenID metadata for provider /HES-SO/HES_AGF_AzAD_Provider task ID 3394e5d4-9c7d-4685-808d-738c16e11dc8 using OpenID URI https://login.microsoftonline.com/a372f724-c0b2-4ea0-abfb-0eb8c6f84e40/v2.0/.well-known/openid-configuration and Trusted CA Bundle /Common/ca-bundle.crt
[I][2402048][23 Aug 2024 06:55:17 UTC][8100/tm/access/oidc/discover OIDCDiscoverTaskCollectionWorker] Updating mcp jwt and jwk objects for provider /HES-SO/HES_AGF_AzAD_Provider task ID 3394e5d4-9c7d-4685-808d-738c16e11dc8
[I][2402049][23 Aug 2024 06:55:17 UTC][8100/tm/access/oidc/discover OIDCDiscoverTaskCollectionWorker] Task ID 3394e5d4-9c7d-4685-808d-738c16e11dc8 for provider /HES-SO/HES_AGF_AzAD_Provider has completed one round, we will schedule the next discover after 1440 minutes
We can see that the jwt configuration has been updated.
Here's the config diff
diff --git a/f5-moz b/f5-moz
index 243ed0c9..a426214b 100644
--- a/f5-moz
+++ b/f5-moz
@@ -43168,7 +43168,7 @@
# auto-jwt-config-name /HES-SO/auto_jwt_HES_AGF_AzAD_Provider
# discovery-interval 1440
# introspect unsupported
-# last-discovery-time 2024-08-18:08:54:54
+# last-discovery-time 2024-08-23:08:55:16
# openid-cfg-uri https://login.microsoftonline.com/a372f724-c0b2-4ea0-abfb-0eb8c6f84e40/v2.0/.well-known/openid-configuration
# token-uri https://login.microsoftonline.com/a372f724-c0b2-4ea0-abfb-0eb8c6f84e40/oauth2/v2.0/token
# trusted-ca-bundle /Common/ca-bundle.crt
@@ -43178,7 +43178,7 @@
# apm aaa oauth-server /HES-SO/HES_AGF_OAuth_Srv {
# client-id <<redacted>>
# client-jwe-key /HES-SO/auto_jwk_HES_AGF_AzAD_Provider1
-# client-secret <<redacted>>
+# client-secret <<redacted>>
# client-serverssl-profile-name /Common/serverssl-insecure-compatible
# dns-resolver-name /Common/IB-Resolver
# provider-name /HES-SO/HES_AGF_AzAD_Provider
@@ -43223,12 +43223,23 @@
# modulus <<redacted>>
# public-exponent AQAB
# }
+# apm oauth jwk-config /HES-SO/auto_jwk_HES_AGF_AzAD_Provider5 {
+# auto-generated true
+# cert /HES-SO/auto_jwk_HES_AGF_AzAD_Provider5_cert.crt
+# cert-thumbprint-sha1 J0OuLdKE1SgPdo4vd-sUXxu2dRs
+# cert-thumbprint-sha256 Skjhb2v0Y0ARn5RV36Shx6jssXsOEPE2ShAp5wvXzwE
+# include-x5c yes
+# key-id J0OuLdKE1SgPdo4vd-sUXxu2dRs
+# modulus <<redacted>>
+# public-exponent AQAB
+# }
# apm oauth jwt-config /HES-SO/auto_jwt_HES_AGF_AzAD_Provider {
# allowed-keys {
# /HES-SO/auto_jwk_HES_AGF_AzAD_Provider1 { }
# /HES-SO/auto_jwk_HES_AGF_AzAD_Provider2 { }
# /HES-SO/auto_jwk_HES_AGF_AzAD_Provider3 { }
# /HES-SO/auto_jwk_HES_AGF_AzAD_Provider4 { }
+# /HES-SO/auto_jwk_HES_AGF_AzAD_Provider5 { }
# }
# allowed-signing-algorithms { RS256 }
# auto-generated true
@@ -60925,20 +60936,24 @@
# }
# }
# sys file ssl-cert /HES-SO/auto_jwk_HES_AGF_AzAD_Provider1_cert.crt {
-# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider1_cert.crt_125280_28
-# revision 28
+# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider1_cert.crt_125280_29
+# revision 29
# }
# sys file ssl-cert /HES-SO/auto_jwk_HES_AGF_AzAD_Provider2_cert.crt {
-# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider2_cert.crt_125284_28
-# revision 28
+# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider2_cert.crt_125284_29
+# revision 29
# }
# sys file ssl-cert /HES-SO/auto_jwk_HES_AGF_AzAD_Provider3_cert.crt {
-# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider3_cert.crt_125288_28
-# revision 28
+# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider3_cert.crt_125288_29
+# revision 29
# }
# sys file ssl-cert /HES-SO/auto_jwk_HES_AGF_AzAD_Provider4_cert.crt {
-# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider4_cert.crt_227975_21
-# revision 21
+# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider4_cert.crt_227975_22
+# revision 22
+# }
+# sys file ssl-cert /HES-SO/auto_jwk_HES_AGF_AzAD_Provider5_cert.crt {
+# cache-path /config/filestore/files_d/HES-SO_d/certificate_d/:HES-SO:auto_jwk_HES_AGF_AzAD_Provider5_cert.crt_241958_1
+# revision 1
# }
# #TMSH-VERSION: 17.1.1.1
#
And on the GUI it says I have to apply the policy :
So I believe, base on your fist sentence, that there's a problem :)
Where should I look for it ? Any hint or advice?
Thanks !
Regards,
Olivier B.