For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Aug 28, 2017

CORS Header for OAUTH2 APM

Hello, we are evaluating APM for OAUTH2, running on v13.0 HF2. One of our dev teams is building a single page application that wants to use grant type "password". Therfore, they need to have CORS ...
BIG-IP Access Policy Manager (APM)
iRules
security
Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Mar 29, 2018

Hi,

I solved the issue without layered VS. I't simply using HTTP_RESPONSE_RELEASE instead of HTTP_RESPONSE

when CLIENT_ACCEPTED {
 ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
    unset -nocomplain cors_origin
    if { [HTTP::header "Origin"] contains "mydomain.com" } {
        set cors_origin [HTTP::header "Origin"]
        log local0. "CORS Origin seen: [HTTP::header "Origin"]"
    }
}

when HTTP_RESPONSE_RELEASE {
     CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
    log local0. "CORS Header sent: Access-Control-Allow-Origin $cors_origin"
   }
}
daren's avatar
daren
Icon for Nimbostratus rankNimbostratus
Jul 29, 2019

I am trying to use this on my LTM with APM I want a single VS if possible. But this gets stuck on preflight. any ideas?