For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Oct 23, 2019

How can i use oAuth session variables in APM policy to decide which ACL can be assigned

I am trying to create a policy where i can try and grab the session variable 'session.oauth.client.last.id_token.groups' that the Oauth client agent gets and use that to decide which ACL can be assig...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
iaine's avatar
iaine
Icon for Nacreous rankNacreous
Oct 24, 2019

Hi

 

Have you tried adding an expression to the Resource Assign object? So something like

 

  • sricharan61's avatar
    sricharan61
    Icon for Cirrus rankCirrus
    Oct 24, 2019

    Hi Iaine

     

    I tried setting up the configuration like this.

    expr {[mcget {session.oauth.client.last.id_token.groups}] =="xxxxxxx-xxxx-xxxx-x-xx"}

    Static ACLs: /Common/test

    Add/Delete

     

    also

     

    expr {[mcget {session.oauth.client./Common/AzureADB2BOauthprov.id_token.g roups}]== "xxxxxx-xxxx-xxxx-xxx-xxxxxx"}

    Static ACLs: /Common/test

    Add/Delete

     

    as i saw both these entries in the access logs for the groups information in different session variable names.

     

    but i do not see the resource assign parameter logs invoking a match for these expressions to send to ACL in the access logs