Forum Discussion

Re: how to have F5 APM send a 401 status code back instead of a 200 for the failed oAuth login attempts

Hi

 

Have you tried ACCESS::respond instead of HTTP::respond ?

 

I do not have the possibility right now to test your use case, but that is something to try,.

 

Yoann

1 Reply

  • sricharan61's avatar
    sricharan61
    Icon for Cirrus rankCirrus

    Hi Yoann

     

    ACCESS::respond worked , but it works for only the first attempt, if the client tries the same wrong credentials in the next atttempt, i see the 401 is again replaced with the /vdesk/hangup page. This is the irule i have now.

     

    when ACCESS_POLICY_COMPLETED {

    set errormessage [ACCESS::session data get "session.oauth.client.last.errMsg"]

     

    if { 

      $errormessage contains "HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password"}{

      ACCESS::respond 401 WWW-Authenticate "Basic realm=\"Service\""

      log local0. "401 response if loop triggered"

      }

      else

      {

      log local0. "401 response if loop not triggered"

      }

    }

     

    If we can make that work for all attempts with wrong creds that should be it.

     

     

     

     

     

    Here are the policy logs for the first and the second calls seperated out with a few empty lines.

     

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/headerauthaccprofile_Servicedev_act_oauth_client_ag.errMsg' set to 'HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: c21efb57-a7a9-431a-8d20-ca9cb8552c00 Correlation ID: 31097609-ee17-4b60-8988-c45b2b98d1ec Timestamp: 2020-02-14 15:58:24Z'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/headerauthaccprofile_Servicedev_act_oauth_client_ag.validated' set to '0'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/testb2b.authresult' set to '0'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/testb2b.errMsg' set to 'HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: c21efb57-a7a9-431a-8d20-ca9cb8552c00 Correlation ID: 31097609-ee17-4b60-8988-c45b2b98d1ec Timestamp: 2020-02-14 15:58:24Z'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/testb2b.validated' set to '0'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client.last.authresult' set to '0'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client.last.errMsg' set to 'HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: c21efb57-a7a9-431a-8d20-ca9cb8552c00 Correlation ID: 31097609-ee17-4b60-8988-c45b2b98d1ec Timestamp: 2020-02-14 15:58:24Z'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client.last.validated' set to '0'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.policy.result' set to 'deny'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.clearcache' set to '0'

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.groupname' set to ''

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.requestdomain' set to ''

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.requesttype' set to ''

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.username' set to ''

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 debug apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'sendAccessPolicyResponse()': 2683: DONE WITH ACCESS POLICY - send 'we are done with access policy for this session' code

    Feb 14 09:58:24 f5-sca-vcmp-bastion-01 debug apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing **

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.ip.address, value: 10.2.142.225

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.port, value: 59545

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.ip.address, value: 10.118.13.48

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.port, value: 443

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.ssl.bypass_default, value: 0

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.ip.address, value: 10.2.142.225

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.port, value: 59546

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.ip.address, value: 10.118.13.48

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.port, value: 443

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.ssl.bypass_default, value: 0

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490567:5: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session deleted (policy_result).

    Feb 14 09:58:34 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490567:5: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session deleted (policy_result).

    Feb 14 09:58:50 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490521:5: /Common/headerauthaccprofile_Servicedev:Common:44938aba: Session statistics - bytes in: 0, bytes out: 0

    Feb 14 09:58:50 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490521:5: /Common/headerauthaccprofile_Servicedev:Common:44938aba: Session statistics - bytes in: 0, bytes out: 0

     

     

    The second attempt is not generating that trigger event which is the error message i am looking for in the irule. We may need to find another matching condition to get this to work for all attempts with wrong creds