Forum Discussion
Cirrusdetecting oAuth2 Request on resource server
we try to use the same APM Policy for SAML and for oAuth2 and to do this without getting Errors in OAuth Scope on none oAuth2 Requests we need to have the posiblity to read the Bearer Authorization Header to detect an oAuth2 Token request.
The Problem is that APM "hides" the Header Values ( the Agent Even looks like a redirect where the Headers are missing) so in the Policy we where unable to get the Header. (not found in ACCESS_POLICY_AGENT_EVENT)
In a iRule we can get the Header in the HTTP_REQUEST but every try to get/transfer any information in the session fails.
HTTP_REQUEST is to early (no Session) and ACCESS_SESSION_STARTED is to late.
Has anybody a idea to solved this problem?
Maybe this setting will help you:
ACCESS::restrict_irule_events disable
This command disables the default behavior and enables admin to enable HTTP and higher layer iRule events for the internal access control URI. Admin can use this to handle these URIs in their iRules if needed.
https://clouddocs.f5.com/api/irules/ACCESS__restrict_irule_events.html
jk20004no that makes no difference (but to make sure I have include the command in the CLIENT_ACCEPTED).
The problem looks like an old APM Problem. When I set session values in a iRule event, you cannot be sure to get these data in an APM Policy because they handled from a different process
The documentation set that I can get/set session values in the ACCESS_SESSION_STARTED
when ACCESS_SESSION_STARTED { ACCESS::session data set session.custom.test 1 log local0. "session.custom.test set to 1" }In the ltm log I can see the entry, but a logging task in the APM Policy will not show the entry (also a second at the end)
I hope I will find a way the get the Authorization header information directly in the APM Policy
- jk20004
life could be so easy
the only problem is that the loggin action in the APM Policy will not show all values when you select custom and session.* but when you directly log session.custom.test you see that the value is there.
