Forum Discussion
F5 APM as OAuth Authorization server and Resource server
I’m using F5 as both Authorization server and Resource server. Haven’t setup client server yet so it accepts any username and any password.
When testing in postman, I can generate token and pass them via request header but when submitting the GET request I’m seeing 503 DNS resolver error in the response headers. Please help.
- HarshaPotharajuNimbostratus
Marvin, renaming the forward zone profile name with period(.) in the bigip.conf file and loading the config resolved the issue. Sounds crazy but worked.
**Before** net dns-resolver /Application/oauth_dns { forward-zones { oauth_forward_zone { nameservers { x.x.x.x:53 { } } } } route-domain /Common/0 use-ipv6 no } **After** net dns-resolver /Application/oauth_dns { forward-zones { . { nameservers { x.x.x.x:53 { } } } } route-domain /Common/0 use-ipv6 no }
- MarvinCirrocumulus
I found out the the DNSresolver object was configured in route domain 0, as we use route domains and strictly isolated we received that error message. I changed the DNSresolver object to the right route domain and the error disappeared, however I now see timeout issue. In tcpdump I see still that the F5 self IP is trying to reach public DNS servers, but it should resolve using the DNS servers configured on the F5 system via management interface, however this is not happening.
So the issue you are experience most probably has to to with the same DNS connectivity issue, perhaps you also use route domains in your setup?
- MarvinCirrocumulus
I have exactly the same issue here using F5 APM as oauth client, the oauth authorization code is being retrieved from AzureAD (OpenID) and is send back to the F5, after that we receive the same error message, were you able to solve this?
- HarshaPotharajuNimbostratus
Here is the error after sending the GET request by adding OAuth 2.0 token data to 'Request Header'
Mar 6 17:46:20 F5LAB err apmd[4575]: 01490290:3: /Application/APM_ACCESS_POLICY_RESOURCE_SERVER::b8e87a6f/Application/RS_SCOPE_CHECK/YXhzMnN1YnNpZA==:/Application/RS_SCOPE_CHECK_act_oauth_scope_subsession_ag: OAuth Scope: failed for server '/Application/APM_CLIENT_RESOURCE_OAUTH_SERVER' (resource_server_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx), error: HTTP error 503, DNS lookup failed
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com