Hi All I am hoping some here can help me ... I am setting up a F5 to act as both OpenID Connect as Client and Resource server however I am now stuck in a auth loop. My session is being deleted before its handed over to to the authoisation server .. "If the session ID is still changing (4a3b8e96 -> 76933e5c) and the logs show Session deleted (oauth_finished), the F5 is essentially "forgetting" the session because it is failing to hand off the MRHSession cookie, or the policy is explicitly configured to terminate upon finishing the OAuth transaction." I have tried many variations of using iRule to stop the session ID's changing between the auth server and the authorisation server to ni avail .. I am at my wits end :( Anyone anble to help? I have logs I will need to sanitise them first that I can upload. These just show that the Auth-ID is created and then the session is deleted before its handed over to VPE that should then send it to sharepoint point app ..help anyone

Maybe you need to focus on why the client does not send the cookie ? Is it a normal web user with a browser in normal not incognito mode ? The issue you describe sounds not apm one as it is described in the clientles mode article that you can try using: https://my.f5.com/manage/s/article/K000137617 Also if this is API traffic see https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-api-protection.html as the API protection mode is newer way than clientles mode. Other than that 21.1 ads DCR but maybe in your case it will not help as this is dynamic client registration: https://techdocs.f5.com/en-us/bigip-21-1-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html

You run the OAuth Authorization Server on the same BIG-IP? The F5 Authorization Server deletes the session after issuing the token, this is the normal behavior. It seems in your scenario the Client+Resource Server shares the session with the F5 Authorization Server, this is not supported as far I know. Use two different APM-Policies and FQDN's for Authorization Server und Client+Resource Server and check that the Scope of the Profile is set to "profile" or "vs" and not to "global"

Here are my logs .. Yes I am testing in Chrome via incognito Jun 3 09:10:35 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490506:5: /Common/Oauth_Logon:Common:a696b8bb: Received User-Agent header: Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x 64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F146.0.0.0%20Safari%2F537.36.Jun 3 09:10:35 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490500:5: /Common/Oauth_Logon:Common:a696b8bb: New session from client IP 10.0.0.1 (ST=/CC=/C=) at VIP 192.168.1.11 Listener / Common/auth.user.domain.com-internal (Reputation=Unknown)Jun 3 09:10:35 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490584:5: /Common/Oauth_Logon:Common:a696b8bb: APM Session for OAuth Authorization request, OAuth ID (ce710a816392bcf00fddfcb58c1 cdc481ce4161daeb1d6cb) OAuth Profile (/Common/Auth_Profile) DB Instance (/Common/oauthdb) Client ID (2ec3eeb8a286f8683c13f70d65da005056be194b5e08076a)Jun 3 09:11:14 SDCZ-F5BR-01.dummy.local notice tmm2[22726]: 01490521:5: /Common/Test12:Common:acf57247: Session statistics - bytes in: 2941, bytes out: 2725Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm2[22726]: 01990008:5: /Common/Oauth_Logon:Common:a696b8bb: [ce710a816392bcf00fddfcb58c1cdc481ce4161daeb1d6cb] New AuthCode generated for Clie nt ID 2ec3eeb8a286f8683c13f70d65da005056be194b5e08076a IP 10.0.0.1 App (Sharepoint_SubService) User agent (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36) Code-challenge ((null)) Code-challenge-method ((null)) for (JWT) TokenJun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm2[22726]: 01990024:5: /Common/Oauth_Logon:Common:a696b8bb: [ce710a816392bcf00fddfcb58c1cdc481ce4161daeb1d6cb] New OAuth ID Token Issued at 17 80477896 Expires at 1780478196 generated for Client ID 2ec3eeb8a286f8683c13f70d65da005056be194b5e08076a IP 10.0.0.1 App (Sharepoint_SubService) User agent (Mozilla/5.0 (Windows NT 10.0; Wi n64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36)Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490567:5: /Common/Oauth_Logon:Common:a696b8bb: Session deleted (oauth_finished). So I can see the Auth-ID is created but the session is deleted. What I need is to keep the session opemn so that its handed over to Test12Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm3[22726]: 01490506:5: /Common/Test12:Common:77d14b8c: Received User-Agent header: Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%2 0AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F146.0.0.0%20Safari%2F537.36.Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm3[22726]: 01490500:5: /Common/Test12:Common:77d14b8c: New session from client IP 10.0.0.1 (ST=/CC=/C=) at VIP 192.168.1.12 Listener /Commo n/user.domain.com-internal (Reputation=Unknown)Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm3[22726]: 01490567:5: /Common/Test12:Common:77d14b8c: Session deleted (restarted).But this is seen as a new session rather than handed over from OAuth_logon. How do I get this done and stop the session being deleted when finishsed

Hey Blobbs_001 What is your AS(Authorization Server)?What role is given to BIG-IP APM? Is it a Client + RS(Resource Server)?Note: You cannot assign both of these roles to a single F5 VS.

Blobbs_001 have you read the replies by and the other people ?

OpenID Connect as Client and Resource server

11 Replies

Nikoolayy1
MVP
20 days ago
Maybe you need to focus on why the client does not send the cookie ? Is it a normal web user with a browser in normal not incognito mode ?

The issue you describe sounds not apm one as it is described in the clientles mode article that you can try using:

https://my.f5.com/manage/s/article/K000137617

Also if this is API traffic see

https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-api-protection.html as the API protection mode is newer way than clientles mode.

Other than that 21.1 ads DCR but maybe in your case it will not help as this is dynamic client registration:

https://techdocs.f5.com/en-us/bigip-21-1-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html
- Blobbs_001
  Nimbostratus
  20 days ago
  Here are my logs ..
  Yes I am testing in Chrome via incognito
  Jun 3 09:10:35 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490506:5: /Common/Oauth_Logon:Common:a696b8bb: Received User-Agent header: Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x                                                                                                                             64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F146.0.0.0%20Safari%2F537.36.
  Jun 3 09:10:35 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490500:5: /Common/Oauth_Logon:Common:a696b8bb: New session from client IP 10.0.0.1 (ST=/CC=/C=) at VIP 192.168.1.11 Listener /                                                                                                                             Common/auth.user.domain.com-internal (Reputation=Unknown)
  Jun 3 09:10:35 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490584:5: /Common/Oauth_Logon:Common:a696b8bb: APM Session for OAuth Authorization request, OAuth ID (ce710a816392bcf00fddfcb58c1                                                                                                                             cdc481ce4161daeb1d6cb) OAuth Profile (/Common/Auth_Profile) DB Instance (/Common/oauthdb) Client ID (2ec3eeb8a286f8683c13f70d65da005056be194b5e08076a)
  Jun 3 09:11:14 SDCZ-F5BR-01.dummy.local notice tmm2[22726]: 01490521:5: /Common/Test12:Common:acf57247: Session statistics - bytes in: 2941, bytes out: 2725
  Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm2[22726]: 01990008:5: /Common/Oauth_Logon:Common:a696b8bb: [ce710a816392bcf00fddfcb58c1cdc481ce4161daeb1d6cb] New AuthCode generated for Clie                                                                                                                             nt ID 2ec3eeb8a286f8683c13f70d65da005056be194b5e08076a IP 10.0.0.1 App (Sharepoint_SubService) User agent (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)                                                                                                                              Chrome/146.0.0.0 Safari/537.36) Code-challenge ((null)) Code-challenge-method ((null)) for (JWT) Token
  Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm2[22726]: 01990024:5: /Common/Oauth_Logon:Common:a696b8bb: [ce710a816392bcf00fddfcb58c1cdc481ce4161daeb1d6cb] New OAuth ID Token Issued at 17                                                                                                                             80477896 Expires at 1780478196 generated for Client ID 2ec3eeb8a286f8683c13f70d65da005056be194b5e08076a IP 10.0.0.1 App (Sharepoint_SubService) User agent (Mozilla/5.0 (Windows NT 10.0; Wi                                                                                                                             n64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36)
  Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm1[22726]: 01490567:5: /Common/Oauth_Logon:Common:a696b8bb: Session deleted (oauth_finished).
  
  So I can see the Auth-ID is created but the session is deleted. What I need is to keep the session opemn so that its handed over to Test12
  Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm3[22726]: 01490506:5: /Common/Test12:Common:77d14b8c: Received User-Agent header: Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%2                                                                                                                             0AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F146.0.0.0%20Safari%2F537.36.
  Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm3[22726]: 01490500:5: /Common/Test12:Common:77d14b8c: New session from client IP 10.0.0.1 (ST=/CC=/C=) at VIP 192.168.1.12 Listener /Commo                                                                                                                             n/user.domain.com-internal (Reputation=Unknown)
  Jun 3 09:11:36 SDCZ-F5BR-01.dummy.local notice tmm3[22726]: 01490567:5: /Common/Test12:Common:77d14b8c: Session deleted (restarted).
  But this is seen as a new session rather than handed over from OAuth_logon.
  How do I get this done and stop the session being deleted when finishsed
  - Nikoolayy1
    MVP
    20 days ago
    Blobbs_001 have you read the replies by and the other people ?
Juergen_Mang
MVP
20 days ago
You run the OAuth Authorization Server on the same BIG-IP? The F5 Authorization Server deletes the session after issuing the token, this is the normal behavior.

It seems in your scenario the Client+Resource Server shares the session with the F5 Authorization Server, this is not supported as far I know. Use two different APM-Policies and FQDN's for Authorization Server und Client+Resource Server and check that the Scope of the Profile is set to "profile" or "vs" and not to "global"
Anoop_Jayadharan
Cirrostratus
20 days ago
Hey Blobbs_001
What is your AS(Authorization Server)?
What role is given to BIG-IP APM? Is it a Client + RS(Resource Server)?
Note: You cannot assign both of these roles to a single F5 VS.
Blobbs_001
Nimbostratus
19 days ago
I have but none solve my problem unfortunately. I need to enable or allow session sharing. I have tried using iRules but these appear as if they are not being processed
Juergen_Mang
MVP
19 days ago
Another question is: Why do your run an Authorization and Client+Resource Sever on the same box?

For a simple setup it is better to implement authentication without OIDC. If you need a OIDC token for the backend, you can create one in the normal authentication flow.
- Blobbs_001
  Nimbostratus
  19 days ago
  Are you able show me how?
Blobbs_001
Nimbostratus
19 days ago
I found this document ..
https://adc-labs.net/openid-connect-as-client-and-ressource-server/
Anoop_Jayadharan
Cirrostratus
19 days ago
Blobbs_001 I have followed this very document and, with minimal adjustments, made it work in the home lab a few months ago.
- Blobbs_001
  Nimbostratus
  15 days ago
  Hi .. Any pointers on the lab you did to get my request for F5 acting as both Resource and Client ?