Forum Discussion

Vulcana's avatar
Vulcana
Icon for Altostratus rankAltostratus
Mar 08, 2024

F5 APM with OIDC Web Duo Prompt

DUO is retiring the iFrame support which has been working well for us.  I am trying to implement the replacement found at https://duo.com/docs/f5bigip-web and APM Configuration to Support Duo MFA using iRule | DevCentral 

This is our first JSON / OAuth implementation and I think I missed something in the setup

The DUO subroutine is implemented after the initial AD Authentication and Query

When I attempt to log on with the VPN client I get past the AD Authenticiaton but when the DUO challenge is to appear it fails and rolls back to the AD Authentication prompt screen.

 

The error I pulled out of the access report is 

/Common/duosubroutine_act_oauth_client_ag: OAuth Client: authorization_code is required to get access_token for server '/Common/duo_server'

I am attempting to configure this as a per session policy.  To my limited understanding I believe the secret is not being properly passed.

Could anyone provide steps for troubleshooting this?

Thank You

application delivery
security
  • Vulcana's avatar
    Vulcana
    Mar 14, 2024

    For those who may run into this in the future sometimes it can be difficult to distinguish a _ from a - in the article.  Should you run into this check for 

    • client_id parameter with type client-id
    • response_type parameter with type response-type
    • grant_type parameter with type grant-type
    • redirect_uri parameter with type redirect-uri
  • Vulcana's avatar
    Vulcana
    Icon for Altostratus rankAltostratus
    Mar 14, 2024

    For those who may run into this in the future sometimes it can be difficult to distinguish a _ from a - in the article.  Should you run into this check for 

    • client_id parameter with type client-id
    • response_type parameter with type response-type
    • grant_type parameter with type grant-type
    • redirect_uri parameter with type redirect-uri
    • Thanu's avatar
      Thanu
      Icon for Nimbostratus rankNimbostratus
      May 14, 2024

      Hi,

      We have configured F5 APM with Duo Universal prompt. When I try to access VDI, it gives login page and then redirects to api host but gets 404 error, Can anyone help me with this? I have been troubleshooting this but not getting anywhere.

       

      Thanks in Advance!

      • Vulcana's avatar
        Vulcana
        Icon for Altostratus rankAltostratus
        May 14, 2024

        As a 404 is not found I would check to make sure that you have correctly copied the API host name.  This would be api-xxxxx.duosecurity.com in the URLs authentication and token URLs during the OAUTH provider configuration step.  Make sure auto JWT is off.  

        Also check in the JSON web token creation step as that uses the API host name as well.  

        Finally double check that name in the irule. (around line 40)

        I hope that gives you places to dig.  Good luck.