OAuth SSO like SAML Inline SSO possible?
I have the following challenge and I am unsure, how it can be solved.
- F5 APM as OAuth Authorization Server
- Web Application as OAuth Client + Ressource Server
Szenario 1: Internal Access
This works like a charme. The user go's to the Web Application, clicks on the OIDC Login Link, is redirected to the Authorization Server, etc. The classic grant flow.
Szenario 2: External Access through APM Portal
The customer demand is, to publish this web application through a F5 APM Webtop with single sign on. The Web Application does not support getting the JWT from the authorization header, therefore all Bearer SSO methodes are not working.
The application must go through the OAuth Grant Flow transparently for the user. This looks like the SAML Inline SSO method, but that is not possible with OAuth or do I miss anything?
I have two ideas, how this can be solved. It would be great, If someone knows an even simpler method.
- Publish the OAuth Server in the internet.
- Publish the Web Application through a new Virtual Server with an Access Profile attached.
- Add Portal Link to the Web Application.
- Span the access session accross both Access Profiles.
- Opening the Web Application from the Web Top -> works seamless with the same Access Session
- Clicking on the OIDC Login Link at the Web Application
- Redirect to the OAuth Server
- New Access Session begins and the user must login again -> BAD
The new access session for the Authorization server is required, because:
- The Access Policy must be validated to trigger the OAuth Authorization VPE Agent.
- The Access Policy is closed automatically after OAuth Authorization.
- At initial login on the Webtop:
- Generate a secure domain cookie
- Set it in the browser
- Write a mapping table (ltm table) cookie->username
- At the OAuth Server:
- Get the cookie
- Lookup the username in the mapping table
- If found, set the OAuth username, else prompt for authentication
- OAuth Authorization works without user login again
At initial auth-redirect Request from the Web Application:
- Intercept the auth-redirect request
- Use a sideband connection to request the authorization code from the authorization server (skip authentication, authorization server is only available on the f5 itself)
- Use another sideband connection to send the authorization code via the redirect-request back to the Web Application
- Use the redirect-request response as the response for 1. and deliver it to the browser
This are the only two ideas I have, too solve this challenge. However, is it really as complex as I think or is there a really simple method I have overseen?