Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jan 31, 2023

Per Request access policy with OAuth Client Subroutine

I have a per request policy with a URI that is protected with a OAuth Client

Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token

My problem is for ajax calls, I would like to send 401's

previous request for this suggested this as an example

 

 

    when ACCESS_SESSION_STARTED { 
      if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } {     
         ACCESS::respond 401 
      }   
    }

 

 

The problem is that the APM session exist and its on the pre request sub-session so this doesn't work.

I was thinking I could look at the JWT valid till date and if its passed then I could respond a 401 code.  But how do I get to pre request session data from a irule

if I do it as a irule event from access profile can I send a respond 401  ?

 

It would be good if I can configue the oauth client to send 401 and not do redirect's

 

Any help would be appreciated

 

 

 

  • You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

    Don't forget to set:

    ACCESS::restrict_irule_events disable
  • Have you tried the clientless mode?

    when HTTP_REQUEST {
        HTTP::header insert "clientless-mode" 1
    }
    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      I believe that will stop the 302 to /my.policy

      but will it stop the 302 to the oauth server to get a new / or renew a OAuth access token ?

       

  • You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

    Don't forget to set:

    ACCESS::restrict_irule_events disable
    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      I had thought of that and I have tried that previously to override default APM actions, but found that those events are called even with

      ACCESS::restrict_irule_events disable

      I will give it another go just in case, but previous experience tells me no - think i had it confirm from F5 support as well - but it been a while