Forum Discussion
AlexS_yb
Cirrocumulus
CirrocumulusPer Request access policy with OAuth Client Subroutine
I have a per request policy with a URI that is protected with a OAuth Client
Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token
My problem is for ajax calls, I would like to send 401's
previous request for this suggested this as an example
when ACCESS_SESSION_STARTED {
if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } {
ACCESS::respond 401
}
}
The problem is that the APM session exist and its on the pre request sub-session so this doesn't work.
I was thinking I could look at the JWT valid till date and if its passed then I could respond a 401 code. But how do I get to pre request session data from a irule
if I do it as a irule event from access profile can I send a respond 401 ?
It would be good if I can configue the oauth client to send 401 and not do redirect's
Any help would be appreciated
You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.
Don't forget to set:
ACCESS::restrict_irule_events disable
Juergen_MangMVP
Have you tried the clientless mode?
when HTTP_REQUEST { HTTP::header insert "clientless-mode" 1 }
AlexS_ybI believe that will stop the 302 to /my.policy
but will it stop the 302 to the oauth server to get a new / or renew a OAuth access token ?
- Juergen_Mang
You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.
Don't forget to set:
ACCESS::restrict_irule_events disable- AlexS_yb
I had thought of that and I have tried that previously to override default APM actions, but found that those events are called even with
ACCESS::restrict_irule_events disable
I will give it another go just in case, but previous experience tells me no - think i had it confirm from F5 support as well - but it been a while
- Juergen_Mang
This had always worked in my projects.