Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Feb 13, 2020

How to add tenant ID check to existing if loops for redirects

I need to add an additional check to look for a tenant ID that will be set through an access policy assigned to the VIP, before redirecting to either of two destinations. Currently, I have this code ...
application delivery
BIG-IP Access Policy Manager (APM)
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
Feb 14, 2020

Hey,

Analysing your code, I found a unreachable condition:

 

if { [HTTP::uri] starts_with "/logout-apm" } {

}

elseif { [HTTP::uri] starts_with "/logout-apm" } {

}

 

Maybe a typo?

Well, my understood on this case drive me to this code:

when HTTP_REQUEST {
    set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
    log local0. "tid value is $tid"
 
    if { [HTTP::uri] starts_with "/logout-apm" } {
        if { [HTTP::uri] contains "post_logout_redirect_uri"} {
            set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
            
            if { $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx" } {
                HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
                
                return
            
            } elseif { $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } {
                HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
                
                return
            }
        }
        HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
    }
}

Am I right and fix that?

 

Regards.