For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jun 14, 2022

OAuth APM as Authorisation server

Hi   Got a question I can't seem to get answered.   I have a OAuth authorisation server setup. I have applied the oauth profile and I have a per session policy that use oauth authroization to ass...
BIG-IP Access Policy Manager (APM)
devops
oauth
security
Matt_Dierick's avatar
Matt_Dierick
Icon for Employee rankEmployee
Jun 27, 2022

Hi AlexS_yb 

You right, in Oauth AS use case, APM does not keep session up. As soon as the token is issued, the session is deleted.

If client presents a refresh token, the previous values from the first request should be used. 

I'm curious to know which kind of information you want to update during a "token refresh". As if something changed on Owner side, a new authentication is required, then new session var (claims) are issued.

  • AlexS_yb's avatar
    AlexS_yb
    Icon for Cirrocumulus rankCirrocumulus
    Jun 29, 2022

    Some claim information is based upon ldap group membership.

    With the current setup a 60 min jwt toekn means that a users permission might last 60min past it being removed.

     

    I was thinking maybe to reduce the refresh token time done and force a new jwt, seem expensive though