For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Dec 09, 2015

Oauth and F5 - one thing is unclear

Regarding this article - https://devcentral.f5.com/wiki/iRules.OAuth2-Google-APM.ashxContributed_by:_Adrian_Noblett_0

 

Very cool by the way, I'm just trying to understand the flow of things here as I'm getting stuck: The oauth virtual I'm sure was intended to be APM enabled. If I hit this virtual though it either creates a new APM session. So what gets logged is this:

 

Dec  9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066:       OAuth uri: /oauth?state=71d3f818&code=4/MHfEKOscrambled3wFgOu5NDZ5e2p1aU
Dec  9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066:  OAuth hit. code=4/MHfEKOscrambled3wFgOu5NDZ5e2p1aU
Dec  9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066:  state=71d3f818
Dec  9 11:09:39 lhr4-lb-01 info tmm1[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62066:  Session state mismatch - Possible cross-site-request-forgery - ACCESS DENIED. The value is:

the [ACCESS::session data get session.user.sessionid] value is ofcourse $null if the oauth virtual is not APM enabled (sure that was not intention), and it also logs null when my session gets deleted when APM enabled:

 

set apmsession [ACCESS::session data get session.user.sessionid]
if { !( [ACCESS::session data get session.user.sessionid] == $OA2state ) } {
    if {$static::oauth_debug} { log local0. "$log_prefix Session state mismatch - Possible cross-site-request-forgery - ACCESS DENIED. The value is:$apmsession" }
     No state match, could be cross-site-request-forgery - ACCESS DENIED
    ACCESS::session data set session.oauth.result 0
    ACCESS::session data set session.oauth.alert "Session state mismatch - Possible cross-site-request-forgery - ACCESS DENIED"
    HTTP::respond 302 location "/my.policy"
    return
}
BIG-IP Access Policy Manager (APM)
cloud

2 Replies

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Dec 09, 2015

    getting closer and the issue looks to be with my sideband connection. I've tried so many different things but i've always had issues with these layered virtuals:

     

    Help!!

     

    Dec  9 11:58:33 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Connect returns:  and conn status: 
Dec  9 11:58:33 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Connect info: <30 {connected idle idle}>
Dec  9 11:58:33 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Sent 419 bytes, send status: 
Dec  9 11:58:37 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Recv data (0 bytes) in 3100 ms: <>, peek status: 
Dec  9 11:58:37 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Closed, conn info: <{closing sent received}>
Dec  9 11:58:37 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Access Token Response Code :
Dec  9 11:58:37 lhr4-lb-01 info tmm[18309]: Rule /Voice/OAuth2-iRule : 10.164.4.9:62460:   Access Token Request FAILED
    • Rabbit23_116296's avatar
      Rabbit23_116296
      Icon for Nimbostratus rankNimbostratus
      Dec 09, 2015
      Stuff is getting complex - do i Need this https://clouddocs.f5.com/api/irules/HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-Chunked-Transfer-APM-Access-etc.html or not?