BIGIP OAUTH : Transmit "Application id" to backend server after a successful atuthentication
Hello @ all 🙂
I took over the management of a bigip (15.1.1) on which APM is configured, in particular to do OAUTH for partner applications.
I'd like to know if it is possible to transmit used application id (from "Access ›› Federation : OAuth Authorization Server : Client Application " ) to backend server.
Here is what I had understood about how it works (currently functionnal):
External form, when "Authentication button" is clicked, redirect to a form hosted and managed with APM on our F5.
An Access policy is used and when user is authenticated, the brower redirect to the external application using one of the defined url for the current Application ("Access ›› Federation : OAuth Authorization Server : Client Application " : Security settings/Redirect URL(s) ).
Then, the next requests are authenticated.
I'd like to know if it is possible (and how) add an information that could be transmitted to backend server to identify the used application.
Little precision : we can't change the current behavior of the external app : it means that the solution should be on the BigIP.
Thank you for your help
Thanks for the extra detail.
I'd suppose that if your user session is authenticated with APM (the user is sending APM's MRHSession cookie so is associated with an APM session) and the app ID is recorded inside the session, and the user is accessing the backend through APM, all you'd have to do is grab this info and add a header during ACCES_ACL_ALLOWED. This event is fired during each network request from users, and can be used more or less like HTTP_REQUEST.
when ACCESS_ACL_ALLOWED {
set appid [ACCESS::session data get "session.oauth.authz.client_id"]
HTTP::header replace "X-PARTNER-ID" $appid
log "Inserted appid: $appid"
}