For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Feb 13, 2020

How to add tenant ID check to existing if loops for redirects

I need to add an additional check to look for a tenant ID that will be set through an access policy assigned to the VIP, before redirecting to either of two destinations. Currently, I have this code ...
application delivery
BIG-IP Access Policy Manager (APM)
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
Feb 14, 2020

Hey,

Analysing your code, I found a unreachable condition:

 

if { [HTTP::uri] starts_with "/logout-apm" } {

}

elseif { [HTTP::uri] starts_with "/logout-apm" } {

}

 

Maybe a typo?

Well, my understood on this case drive me to this code:

when HTTP_REQUEST {
    set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
    log local0. "tid value is $tid"
 
    if { [HTTP::uri] starts_with "/logout-apm" } {
        if { [HTTP::uri] contains "post_logout_redirect_uri"} {
            set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
            
            if { $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx" } {
                HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
                
                return
            
            } elseif { $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } {
                HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
                
                return
            }
        }
        HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
    }
}

Am I right and fix that?

 

Regards.