Forum Discussion

rodolfosalgado_'s avatar
rodolfosalgado_
Icon for Altostratus rankAltostratus
Jul 22, 2016

How BIG-IP Token/Authentication works ?

I'm unable to find anywhere here/documentation/articles anyone that could explain a little bit better the authentication token when you get the response from the Rest.

I'm sending the POST to the Rest, and the Rest is returning the Authentication.

Here is an example:

token            : AD2GKZPXKVTE4WKJEQUZTIPOM3
name             : AD2GKZPXKVTE4WKJEQUZTIPOM3
userName         : admin
authProviderName : tmos
user             : ...
groupReferences  : ...
timeout          : 1200
startTime        : 2016-07-22T09:24:11.808-0500
address          : 10.10.10.10
partition        : [All]
generation       : 1
lastUpdateMicros : 1469197451807722
expirationMicros : 1469198651808000
kind             : shared:authz:tokens:authtokenitemstate
selfLink         : https://localhost/mgmt/shared/authz/tokens/AD2GKZPXKVTE4WKJEQUZTIPOM3

Does anyone knows what is "lastUpdateMicros", "ExpirationMicros" and what is Timeout actually means ? I'm having several issues in my scripts when I call the Rest and the call just fail. If I try to get a new token the call works. I wonder if could be due the token is expired after is used once. Will the token expire only after 1200 seconds or that is not true ?

devops
iControlREST
security
  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Jul 22, 2016

    The token will timeout after 1200 seconds. All attempts to increase or remove that have been futile for me.

     

    • ekaleido's avatar
      ekaleido
      Icon for Cirrus rankCirrus
      Jul 22, 2016

      That is my experience. If you create the token every time you call the API, you should get the same token until the 1200 seconds is up. So be sure to always generate the token and insert the token as the header and you'll be able to account for when it expires and becomes a new value.

       

    • Satoshi_Toyosaw's avatar
      Satoshi_Toyosaw
      Historic F5 Account
      Mar 28, 2018

      A different token is generated for every request as far as I checked. Tested on 12.1.2 and 13.0.0. The behaviour may be different in a different version. Please post the version number you tested if you can, so I can verify.

      Here's a test one-liner:

      for i in `seq 1 30`; do curl -sk -X POST -H "Content-type: application/json" \
 https:///mgmt/shared/authn/login \
 -d '{"username":";", "password":";", "loginProviderName":"tmos"}' | \
 python -m json.tool | fgrep '"token": "' | sort | uniq -c; done

      To get a list of currently available tokens, run:

      curl -sku admin: https:///mgmt/shared/authz/tokens
  • ekaleido_26616's avatar
    ekaleido_26616
    Icon for Cirrocumulus rankCirrocumulus
    Jul 22, 2016

    The token will timeout after 1200 seconds. All attempts to increase or remove that have been futile for me.

     

    • rodolfosalgado_'s avatar
      rodolfosalgado_
      Icon for Altostratus rankAltostratus
      Jul 22, 2016

      Can you do as many calls as you want during this 1200 time window?

       

    • ekaleido_26616's avatar
      ekaleido_26616
      Icon for Cirrocumulus rankCirrocumulus
      Jul 22, 2016

      That is my experience. If you create the token every time you call the API, you should get the same token until the 1200 seconds is up. So be sure to always generate the token and insert the token as the header and you'll be able to account for when it expires and becomes a new value.

       

    • Satoshi_Toyosaw's avatar
      Satoshi_Toyosaw
      Historic F5 Account
      Mar 28, 2018

      A different token is generated for every request as far as I checked. Tested on 12.1.2 and 13.0.0. The behaviour may be different in a different version. Please post the version number you tested if you can, so I can verify.

      Here's a test one-liner:

      for i in `seq 1 30`; do curl -sk -X POST -H "Content-type: application/json" \
 https:///mgmt/shared/authn/login \
 -d '{"username":";", "password":";", "loginProviderName":"tmos"}' | \
 python -m json.tool | fgrep '"token": "' | sort | uniq -c; done

      To get a list of currently available tokens, run:

      curl -sku admin: https:///mgmt/shared/authz/tokens
  • Madhu_Rajagopal's avatar
    Madhu_Rajagopal
    Icon for Employee rankEmployee
    Jan 12, 2017

    It is possible to modify the timeout once a token is obtained. This is achieved using the PATCH method.

    Get a token (from a external auth provider in this example):

    curl -s -k -u admin:changeme -X POST -H "Content-Type: application/json" -d '{ "username": "mrajagopal", "password": "changeme1234", "loginProviderName": "tmos"}' https://10.154.170.18/mgmt/shared/authn/login

    Update the token with preferred timeout (max: 36000) value using the self-link key provided in the response:

    curl -sk https://10.154.170.18/mgmt/shared/authz/tokens/Y43RS3JJLFXFH3FRT4PVZQOUOJ -H "X-F5-Auth-Token: Y43RS3JJLFXFH3FRT4PVZQOUOJ" -X PATCH -d '{"timeout" : 4200}'

    The 'lastUpdateMicros' key in the response is the unix timestamp of when this token was modified as we did to adjust the timeout.

    While the 'expirationMicros' key is the unix timestamp of when this token will expire.

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Sep 22, 2017

    In case you want to use BIG-IQ as REST proxy you are forced to use a token.

    Please see Ask F5 article "K04452074: Overview of using the BIG-IQ system authentication token". The token timeout of 300 seconds is hard coded.

    A token can be requested via REST as shown below.

    An object is returned containing a key named "token".

    The value of token is another object containing the token key and value and other elements.

    To filter the token string the following syntax might be used on shell: 
    curl -sk -X POST -H "Content-Type: application/json" -d '{"username":"", "password":""}' "https:///mgmt/shared/authn/login" | \
grep -oP '(?<="token":)\{("[^"]*":\s*("[^"]*"|[^",]*|\{[^}]*\}|\[[^]]*\]),?)*\}' | grep -oP '(?<="token":")[^"]*'
    • Andre_Nurwono's avatar
      Andre_Nurwono
      Icon for Employee rankEmployee
      Mar 15, 2024
      IPADDR='127.0.0.1'; \
TOKEN=`curl -sku admin:admin https://$IPADDR/mgmt/shared/authn/login -X POST -H "Content-Type: application/json" -d '{"username":"admin", "password":"admin", "loginProviderName":"tmos"}' | jq -r '.token.token'` ; \
curl --trace-time -vvv -sk -X GET https://$IPADDR/mgmt/shared/identified-devices/config/device-info -H "X-F5-Auth-Token: $TOKEN";

      I love the filter!
      There's also the jq util which can parse json.  This example then reuses it in a subsequent call.

  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Ret. Employee
    Sep 27, 2017

    For more information on the authentication token, refer to the following documents.

    ... I know. The docs do not define what 

    lastUpdateMicros
    and 
    ExpirationMicros
    fields mean ... but we can certainly guess. Try EpochConvertet. If you are using the python API, try

    >>> import time
>>> time.gmtime(1386701529797298/10**6)
time.struct_time(tm_year=2013, tm_mon=12, tm_mday=10, tm_hour=18, tm_min=52, tm_sec=9, tm_wday=1, tm_yday=344, tm_isdst=0)
  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Ret. Employee
    Apr 08, 2018

    Got it. From 13.1.0, the maximum number of authentication tokens a non-admin user can obtain is limited to 100. The default life of a token is 30 min, so after that, you should be able to create a new token. It is recommended to reuse the token to avoid the error.