Forum Discussion

Cirrocumulus

Jun 14, 2022

OAuth APM as Authorisation server

Hi Got a question I can't seem to get answered. I have a OAuth authorisation server setup. I have applied the oauth profile and I have a per session policy that use oauth authroization to ass...

BIG-IP Access Policy Manager (APM)

Employee

Jun 27, 2022

Hi AlexS_yb

You right, in Oauth AS use case, APM does not keep session up. As soon as the token is issued, the session is deleted.

If client presents a refresh token, the previous values from the first request should be used.

I'm curious to know which kind of information you want to update during a "token refresh". As if something changed on Owner side, a new authentication is required, then new session var (claims) are issued.

AlexS_yb
Cirrocumulus
Jun 29, 2022
Some claim information is based upon ldap group membership.
With the current setup a 60 min jwt toekn means that a users permission might last 60min past it being removed.

I was thinking maybe to reduce the refresh token time done and force a new jwt, seem expensive though

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OAuth APM as Authorisation server

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

oauth server generated jwt token problem

APM Exchange Modern Auth (OAuth)

Server cert expired

irule to insert a client cert for authorisation to a website

F5 ASM | Web Server Probe Signture

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS