For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

keda's avatar
keda
Icon for Nimbostratus rankNimbostratus
Feb 21, 2023
Solved

iRule - jwt is generated prior to authentication

Hoping you guys could shed some light on this, all our efforts have failed so far Scenario: Client hits https://service.com/example Initial uri is stored in an sessions variable called session.se...
application delivery
irule
jwt
saml
SSO
  • keda's avatar
    keda
    Feb 23, 2023

    Thanks Lucas_Thompson for helping out. ACCESS_ACL_ALLOWED did not help but your input lead us to try ACCESS_POLICY_AGENT_EVENT with a different approach and it appears to have done the trick!

    Thanks again

Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Feb 22, 2023

Hi Keda, it sounds like an interesting use case. As you've found, a per-session policy only executes a single time at the beginning.

To make the code execute upon every request, you can use Per-Request policies (and call your irule from there) or you can use iRules (use the ACCESS_ACL_ALLOWED event so you're inside the user's session context). In either Per-Request or iRules you can append an HTTP header to the user's request. Use the "http header replace" function (https://clouddocs.f5.com/api/irules/HTTP__header.html), as it will replace any existing and potentially incorrect user-supplied header.

  • keda's avatar
    keda
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2023

    Thanks Lucas_Thompson for helping out. ACCESS_ACL_ALLOWED did not help but your input lead us to try ACCESS_POLICY_AGENT_EVENT with a different approach and it appears to have done the trick!

    Thanks again