For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Oct 23, 2019

How can i use oAuth session variables in APM policy to decide which ACL can be assigned

I am trying to create a policy where i can try and grab the session variable 'session.oauth.client.last.id_token.groups' that the Oauth client agent gets and use that to decide which ACL can be assig...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
iaine's avatar
iaine
Icon for Nacreous rankNacreous
Oct 24, 2019

Hi

 

Have you tried adding an expression to the Resource Assign object? So something like

 

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Oct 24, 2019

Hi Iaine

 

I tried setting up the configuration like this.

expr {[mcget {session.oauth.client.last.id_token.groups}] =="xxxxxxx-xxxx-xxxx-x-xx"}

Static ACLs: /Common/test

Add/Delete

 

also

 

expr {[mcget {session.oauth.client./Common/AzureADB2BOauthprov.id_token.g roups}]== "xxxxxx-xxxx-xxxx-xxx-xxxxxx"}

Static ACLs: /Common/test

Add/Delete

 

as i saw both these entries in the access logs for the groups information in different session variable names.

 

but i do not see the resource assign parameter logs invoking a match for these expressions to send to ACL in the access logs