Forum Discussion
julienb
Nimbostratus
NimbostratusERR_CONN_RESET - VS - OAuth Client
Hello everyone,
I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing.
The process :
The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token.
The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process.
What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token.
Thank you in advance.
- Nikoolayy1
MVP
The apptest.example.com is a with a Redirect ending to appauth.example.com or multydomain SSO config is used?
julienbHello, thank you for your reply.
Yes at the end of the apptest.example.com policy, it is a Redirect ending to another website (website.example.com)
- Nikoolayy1
So how the redirect to appauth.example.com happens and what you mean by (On the second F5) ? Another F5 device?
- julienb
Hello,
No there is just 2 F5 ; One use as a client/resource server and the other as authorization server ; At the end of the Access Profile (Per-Session Policies), when the client passed trough the "OAuth client", the client is redirected to the website : website.example.com/ide_token=****** ;
Thank you.
- Daniel_Wolf
Hi,
can you share with us which F5 documentation / guide you followed? Just a link to it.
And can you share how your Resource Server (apptest.example.com (On the first F5)) is configured? Does it have an Access Profile (Per-Session Policy) and additionally a Per-Request Policy? How is it setup?
The behaviour of "delete the active session and after reload it works" makes me wonder if part of the config on the Resource Server is missing.
KR
Daniel
- julienb
Hello and thank you,
You can find my reply below.
Best regards.
- julienb
Hello,
This is the doc I followed : https://support.f5.com/csp/article/K14391041 ; But I changed some settings, for example my client want to use OpenID Connect with it. On apptest.example.com there is just one Access Profile (Per-Session Policy). Like this :
When the user connects for the first time and pass it through, it works, but when he has an active session he can't connect to apptest.example.com, I have an error "Secure Connection Failed" ... An error occured during a connection to apptest.example.com. PR_CONNECT_RESET_ERROR
The only "workaround" I found for the moment is to delete the active session at the end of the Access Profile (when I redirect the user to the website). But it means that I can't see his session on the F5.
PS : I see nothing in the Access Profile logs, so it means (I think) that is related to the Virtual Server and not the Access Profile.
Best regards.
- Daniel_Wolf
Hello,
your answer is quite comprehensive, I will go through it...
Meanwhile, did you do a traffic capture on the F5 or on the client? On the F5 you can decrypt the SSL and you can also log the reset cause. It's definitely worth to investigate the reason for the connection reason.
KR
Daniel
- julienb
Hello and thank you.
I will investigate.
Best regards.
- julienb
Here is the doc I made, the first one is the Internal WAF, this F5 will act as the Authorization Server :
- julienb
And here the doc about the second F5, acting as the Client.
- Daniel_Wolf
Hi ,
did you get any further with this? I managed to get it going following strictly https://support.f5.com/csp/article/K14391041.
I will adjust my setup throughout the weekend to add the configuration required for JWT and will test further.
Any results from taking a tcpdump or maybe you can change the Log profile to debug level for OAuth?
KR
Daniel
- Daniel_Wolf
Just to clarify that I am not missing something important - you want to achieve the following:
Client goes to https://app.example.com (Resource Server).
Is redirected to https://auth.example.com (Authentication Server), client authenticates with <whatever>, receives token.
Is redirected back to https://app.example.com and authenticates there once with the token received from the Authentication Server.
The client then receives the APM cookies and no further token is required.
Is that correct? Because I got this working with your settings from above.
Only thing I have different is the cookie settings and some minor stuff like username instead of mail.
Anything obvious that might be off in your config? Like mixing http and https or IP and FQDN, or something off with your DNS config in apm-dns-resolver?
- julienb
Hello,
Sorry for the late reply, I was busy with other projects.
The process (for the moment) is :
- The user goes to apptest.example.com (RS)
- He is redirect to appauth.example.com (AS)
- The client authenticates
- Then he is redirect to webapp.example.com (the website) with a token
- And yes he gets an APM cookie
The client is redirected to the IP of the website (webapp.example.com = 10.0.0.4) instead of a FQDN, but everything use HTTPS.
Thank you for your time.
Best regards.
