Forum Discussion
EntraID + F5 as Oauth client/resource server not sending ID Token to app
Hello,
Here is the basic setup.
F5 is configured to use EntraID and is set up as the client+resource server. When a user logs into the web app via EntraID they are able to login just fine. However, the web app only receives an access token via the F5. The web app gets invalid signature errors when trying to validate the access token. As per this conversation, ID tokens are to be used for validating users.
I guess my overall question is, how do we send the ID token to the virtual server as well as the access token? I have OIDC connect enabled in the Oauth client in the access profile. I'm still fairly new to how oauth (and the F5) works so maybe I missed something obvious.
And as said F5 is fine validating the token
Now if you want your backend web application cluster to be able to validate oauth tokens, you need to configure it as resource server tooBut you should think is there really such need?
Why not just leave F5 do the the job and inject a HTTP header which web app can consume.
I am still wonder how access token reach web app. Have you configure oauth bearer sso on F5?- wilfordbrimley
Nimbostratus
sorry for the confusion, I should have better illustrated the flow:
F5 Virtual server + (apm acting as client/resource server) > NGINX pool > backend web application cluster.
I am bit confused
When you talk about web app you are reffering to the actual web app server or to an APM policy
Cause if you want to consume oauth tokens on web app (pool member) you need to configure it as resource server too.
Otherwise it makes totally sense no to be able to validate the token
as for ./default scope it seems to be a special scope which should not be used in cases like this.
and yes it somehow don't need the jwt key to be validated- wilfordbrimley
Nimbostratus
Have you configured your web app as resource server?
We have configured the F5 as the oauth client/resource server, using the instructions from here: https://my.f5.com/manage/s/article/K53313351
In order to validate the token tou need the JWT key
F5 fetched jwt keys when you created the oauth provider, note that jwt keys are rotating so you need to create a scedule in F5 to look for new keys
Therefore even in jwt.io you need to provide the key in order to validate tokenAs for .default scope i have never used it, I will have a look
Have you configured your web app as resource server?
And if yes are you using same credentials as on F5?
- wilfordbrimley
Nimbostratus
The "scope" field was blank before. The web app accepted the access token sent by the F5 APM, but if the web app tried to validate the token signature, the signature was invalid. This also occured when trying to validate the token on https://jwt.io.
however, once we added the above scope, the token signature was successfully validated by both the web app, and jwt.io
Ok I got
https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-default-scopeWhat scope where you using before and was failing?
- wilfordbrimley
Nimbostratus
I can't find the original post now, it was either here or stack overflow, but someone mentioned that they could validate the token signature if the client ID was added to the scope in the format clientid/.default - I confirmed this was also the case for us.
APM will fetch Access token and ID token on the back channel from IDP, this means that it does not exists as http header in user request.
If you see the Access Token on web app I assume it's because you have configured oauth bearer sso between F5 and web app.
This means that F5 will inject Access Token when forwarding user request to pool member. Of course web app needs to have a way to validate the token.
Not sure what you mean by adding {clientid}/.default to the "scope" options.
As for the ID token is consumed by the AMP itself, if you want to forward it to pool member you should inject it manually, maybe with an irule. But again web app should be able to validate it.
So you have also configured oauth bearer sso between F5 and web app?
As for ID token you should get if OpenId connect option is enabled on oauth client config.Is AMP able to validate the access token at least?
- wilfordbrimley
Nimbostratus
APM seems to have no issues, but when I do a packet cap between the F5 and the pool members, I only see the access token in the header and no id token. We have worked around the issue by adding {clientid}/.default to the "scope" options in APM. Once we did this the web app had no issues validating the token. still curious why the F5 is only sending over the access token though.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com