Forum Discussion
CirrusHow to add tenant ID check to existing if loops for redirects
I need to add an additional check to look for a tenant ID that will be set through an access policy assigned to the VIP, before redirecting to either of two destinations. Currently, I have this code running as mentioned below, since we did not want to have two different trigger paths to be coded as part of the requests for logout we are being asked to check for the tenant ID for the respective logged in user and use that to redirect to either of the two destinations for azure logout, using the same single trigger path of logout-apm instead of having the developers code -apm and apm-b2c for us to be able distinguish the trigger to either of the destinations.
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/logout-apmb2b" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
elseif { [HTTP::uri] starts_with "/logout-apmb2c" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
}
where
bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx ( the b2c azure tenant id we are using )
https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue ( the custom logoutpath for azureb2c)
I tried this as a possible solution
when HTTP_REQUEST {
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
log local0. "tid value is $tid"
if { [HTTP::uri] starts_with "/logout-apm" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" && $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx"} {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
}
elseif { [HTTP::uri] starts_with "/logout-apm" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" && $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
}
but the redirects are failing with this code.
cjuniorNacreous
Hey,
Analysing your code, I found a unreachable condition:
if { [HTTP::uri] starts_with "/logout-apm" } {
}
elseif { [HTTP::uri] starts_with "/logout-apm" } {
}
Maybe a typo?
Well, my understood on this case drive me to this code:
when HTTP_REQUEST { set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] log local0. "tid value is $tid" if { [HTTP::uri] starts_with "/logout-apm" } { if { [HTTP::uri] contains "post_logout_redirect_uri"} { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] if { $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx" } { HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" return } elseif { $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } { HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" return } } HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } }Am I right and fix that?
Regards.
sricharan61I have hashed the tenant ids on purpose, yes, the ask is to check for another parameter as an if on top of two existing conditions, but, in a set of two ifs as an "and" and followed by another if , incase the first is matched, I was able to accomplish this with this code
if { [HTTP::uri] starts_with "/logout-apm" and $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx"}
{
if { [HTTP::uri] contains "post_logout_redirect_uri" }
Thanks
- cjunior
So, does that mean you solve this case or you still need help some way?
Regards.
- sricharan61
It is resolved now, thanks for your help!😊