Forum Discussion
Cirrushow to have F5 APM send a 401 status code back instead of a 200 for the failed oAuth login attempts
CumulonimbusHi
Have you tried ACCESS::respond instead of HTTP::respond ?
I do not have the possibility right now to test your use case, but that is something to try,.
Yoann
sricharan61Hi Yoann
ACCESS::respond worked , but it works for only the first attempt, if the client tries the same wrong credentials in the next atttempt, i see the 401 is again replaced with the /vdesk/hangup page. This is the irule i have now.
when ACCESS_POLICY_COMPLETED {
set errormessage [ACCESS::session data get "session.oauth.client.last.errMsg"]
if {
$errormessage contains "HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password"}{
ACCESS::respond 401 WWW-Authenticate "Basic realm=\"Service\""
log local0. "401 response if loop triggered"
}
else
{
log local0. "401 response if loop not triggered"
}
}
If we can make that work for all attempts with wrong creds that should be it.
Here are the policy logs for the first and the second calls seperated out with a few empty lines.
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/headerauthaccprofile_Servicedev_act_oauth_client_ag.errMsg' set to 'HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: c21efb57-a7a9-431a-8d20-ca9cb8552c00 Correlation ID: 31097609-ee17-4b60-8988-c45b2b98d1ec Timestamp: 2020-02-14 15:58:24Z'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/headerauthaccprofile_Servicedev_act_oauth_client_ag.validated' set to '0'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/testb2b.authresult' set to '0'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/testb2b.errMsg' set to 'HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: c21efb57-a7a9-431a-8d20-ca9cb8552c00 Correlation ID: 31097609-ee17-4b60-8988-c45b2b98d1ec Timestamp: 2020-02-14 15:58:24Z'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client./Common/testb2b.validated' set to '0'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client.last.authresult' set to '0'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client.last.errMsg' set to 'HTTP error 400, Error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: c21efb57-a7a9-431a-8d20-ca9cb8552c00 Correlation ID: 31097609-ee17-4b60-8988-c45b2b98d1ec Timestamp: 2020-02-14 15:58:24Z'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.oauth.client.last.validated' set to '0'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.policy.result' set to 'deny'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.clearcache' set to '0'
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.groupname' set to ''
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.requestdomain' set to ''
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.requesttype' set to ''
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 info apmd[12729]: 01490007:6: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session variable 'session.rest.username' set to ''
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 debug apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'sendAccessPolicyResponse()': 2683: DONE WITH ACCESS POLICY - send 'we are done with access policy for this session' code
Feb 14 09:58:24 f5-sca-vcmp-bastion-01 debug apmd[12729]: 01490266:7: /Common/headerauthaccprofile_Servicedev:Common:216081c7: ApmD.cpp: 'process_apd_request()': 1835: ** done with the request processing **
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.ip.address, value: 10.2.142.225
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.port, value: 59545
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.ip.address, value: 10.118.13.48
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.port, value: 443
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.ssl.bypass_default, value: 0
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.ip.address, value: 10.2.142.225
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.client.port, value: 59546
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.ip.address, value: 10.118.13.48
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.server.port, value: 443
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 info tmm[18432]: 01870003:6: /Common/headerauthaccprofile_Servicedev:Common:00000000: Agent created variable name: perflow.ssl.bypass_default, value: 0
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490567:5: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session deleted (policy_result).
Feb 14 09:58:34 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490567:5: /Common/headerauthaccprofile_Servicedev:Common:216081c7: Session deleted (policy_result).
Feb 14 09:58:50 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490521:5: /Common/headerauthaccprofile_Servicedev:Common:44938aba: Session statistics - bytes in: 0, bytes out: 0
Feb 14 09:58:50 f5-sca-vcmp-bastion-01 notice tmm[18432]: 01490521:5: /Common/headerauthaccprofile_Servicedev:Common:44938aba: Session statistics - bytes in: 0, bytes out: 0
The second attempt is not generating that trigger event which is the error message i am looking for in the irule. We may need to find another matching condition to get this to work for all attempts with wrong creds
