BigIP APM Oauth - set to 'Failed to perform curl: Failure when receiving data from the peer'

MVP

Dec 15, 2023

Hi Southern_Nordic,

Should you try some test policy like follows:

OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/DC-TEST/Azure_Oauth_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXXX), error: Failed to perform curl: Failure when receiving data from the peer

try wget . if that fails too but you can access the address from another IP/device , this probably means your IP is being blocked or filtered out by either firewall/nginx anti ddos attack . try proxy .

The token_rejected error in OAuth means that the oauth_token is unacceptable to the Service Provider. The reason for this error is unspecified, but it might mean that the token was never issued, consumed, or expired and then subsequently forgotten by the Service Provider. To solve this error, make sure you have the correct credentials for your OAuth app. Double check the client_id and client_secret to make sure they are correct and being passed correctly to the Service Provider

It's important to emphasize that the problem is rooted in the client's configuration.

Authorization server does its job flawlessly issuing codes and tokens (specifically for the client shown above, server behavior was verified using browser to obtain authorization code and Postman to exchange the code for an access token).

For some reason, the client application is not capable to complete the authorization flow. It receives an authorization code from the authorization server but fails to exchange it.

User credentials provided to the server, and it responds with the authorization code, after receiving the code authorization attempt fails and client application perform the second redirect to the authorization server.

Authorization Code Flow
In Authorization code grant type, User is challenged to prove their identity providing user credentials. Upon successful authorization, the token endpoint is used to obtain an access token. The obtained token is sent to the resource server and gets validated before sending the secured data to the client application.

https://azure.github.io/apim-lab/apim-lab/7-security/security-7-2-3-oauth2-authorization-grant-flow.html

https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/38.html

https://aaronparecki.com/oauth-2-simplified/#others

Both client_id and client_secret are not used in the password flow. However, as you are probably aware, OAuth2 has other flows, suited for other scenarios.

Namely:

the authorization code flow used in web apps that authenticate users server side. The client_id is used in the initial redirect, the client_secret is used in the last step where the app exchanges the one time code for a token.

the client credentials flow used to authenticate applications rather than individual users.

Hope this helps

🙏

Forum Discussion

BigIP APM Oauth - set to 'Failed to perform curl: Failure when receiving data from the peer'

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Global Log Receiver

Configure Generic Webhook Alert Receiver using F5 Distributed Cloud Platform

Proxy Protocol Receiver

Understanding Performance Metrics and Network Traffic

Performance Logging iRule (Rule_http_log)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS