Oauth Scope Check

Question

I've got a access_token from my BigIP Oauth Authorization Server for grant_type as client_credentials with invalid scope. As you can see from the response from /introspect, both scope and scope_data is empty. I am wondering why the Oauth Scope Check in the Per-Request-Policy is still evaluated as Allow (subsession.oauth.scope.last.authresult == 1)? Should it give Deny as the evaluation result for this Per-Request-Policy? Is it possible for me to manually check the size of "scope_data" in that response in when ACCESS_PER_REQUEST_AGENT_EVENT if size of that array is &lt; 1, I'd like manually reset subsession.oauth.scope.last.authresult to 0oauth scope check to /f5-oauth2/v1/introspect has following response:

{

&nbsp; "active":true,

&nbsp; "client_id":"68ebc48eb2a84a096e8589eb141900505686049f7743c05d",

&nbsp; "username":"/Common/oauthas-ap.vsasdao",

&nbsp; "token_type":"Bearer",

&nbsp; "exp":1573213401,

&nbsp; "iat":1573209801,

&nbsp; "nbf":1573209501,

&nbsp; "sub":"/Common/oauthas-ap.vsasdao",

&nbsp; "scope":"",

&nbsp; "scope_data":[

&nbsp; ]

}

jian_lin · Answer

you my try subsession.oauth.scope.last.introspect.scope_data.id to and &nbsp;subsession.oauth.scope.last.scope_data.parsed.(value from last command)

jian_lin · Answer

there is empty in your scope valid response (in scope data )

Forum Discussion

Oauth Scope Check

Recent Discussions

Default retry time inband monitor

how to monitor the axfr master response

Http / https health monitor issue

I used the wrong email account when take Application Delivery Exam (101)

F5 looses the token for the first call

Related Content

Basic OAuth concept and OAuth with F5 solutions

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

Monitoring Failure OAuth request

Request and validate OAuth / OIDC tokens with APM

Scope of variables when using call

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS