Forum Discussion
Ustrum
Cirrus
CirrusGroup based authorization + OAuth 2.0 client setup with APM
Hi all,
I am trying to configure an APM access policy to authenticate users using an oauth flow, integrated with Azure AD, with APM acting as client/RS as described in K42333110. So far so good, only users within my tenant can access the VS, but I am hitting a wall when trying to limit access to users within a specific AD group.
The AD App the APM is using to authenticate users is configured to include the groups the user requesting the token belongs to in the group calims field of the JWT, but I can´t see any field for "groups" or similar under the session variables, so I have nothing to base the authorization on. Now my questions would be:
- Is there a way to see the value of the access token requested by the APM as client application? when I do a session dump, the value of the token is obfuscated, just as in the session variables table
- Once I get (hopefully) a session variable with the value of the groups, can I use an oauth scope step, or do I need to use an irule and evaluate to make an access/deny decission in the per session policy?
TIA
> is there a way I can access the raw value of the access token for debugging purposes?
I have done this always with the described message box.
Juergen_MangMVP
> Is there a way to see the value of the access token requested by the APM as client application? when I do a session dump, the value of the token is obfuscated, just as in the session variables table
You can use a Message Box in the VPE to display the session variable. Decoding can be done with jwt.io
- Ustrum
Thanks for your response! I think I didn´t explain myself, though: when I access the "session.oauth.client./Common/policy.access_token" value, it is obfuscated/encrypted, and it starts with $CK$$, so the question would rather be: is there a way I can access the raw value of the access token for debugging purposes?
- Juergen_Mang
> is there a way I can access the raw value of the access token for debugging purposes?
I have done this always with the described message box.
- Ustrum
thanks! It does work indeed
- James_Jinwon_Lee
Employee
You need to configure your Azure AD to include the user's group info in the token.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
Once the group info is included in the token, you can find it as a variable.
- Nikoolayy1
As the SAML attributes on some versions are saved as "secure" data on the F5 I forgot when I played with this if Oauth token is the same way but as Juergen_Mang said you can use the message box and mcget -secure to decrypt it and then use base64 decode site as this is the encoding.
K07645403: Using mcget -secure to decrypt and display a password for troubleshooting auth issues.
