Forum Discussion
CirrusHow can i use oAuth session variables in APM policy to decide which ACL can be assigned
I am trying to create a policy where i can try and grab the session variable 'session.oauth.client.last.id_token.groups' that the Oauth client agent gets and use that to decide which ACL can be assigned to the user based on the group ID value of that session variable. I am not seeing any options in the assignment tab of the policy parameters that can leverage this session variable information.
iaineNacreous
Hi
Have you tried adding an expression to the Resource Assign object? So something like
sricharan61Hi Iaine
I tried setting up the configuration like this.
expr {[mcget {session.oauth.client.last.id_token.groups}] =="xxxxxxx-xxxx-xxxx-x-xx"}
Static ACLs: /Common/test
Add/Delete
also
expr {[mcget {session.oauth.client./Common/AzureADB2BOauthprov.id_token.g roups}]== "xxxxxx-xxxx-xxxx-xxx-xxxxxx"}
Static ACLs: /Common/test
Add/Delete
as i saw both these entries in the access logs for the groups information in different session variable names.
but i do not see the resource assign parameter logs invoking a match for these expressions to send to ACL in the access logs
- iaine
Dumb question I know, but is the resource assigning happening after the oauth call?
Have you tried outputing the variables to a message box just prior to the acl assignment to ensure that the variables are present and correct? https://support.f5.com/csp/article/K11123
- sricharan61
Hi Iaine
Looks like its working, its just that the logs is are not showing the exact match happening by the condition we are setting. It simply shows what ACL was assigned. I set up a logging message after the oauth client to be able to see that user group match logged in the session logs.
Richard_TocciEmployee
Turning on debug logging in the APM logging profile would have shown this activity.
General rule of thumb - if you don't see it in the logs, turn on debug and you will.