Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jan 31, 2023

Per Request access policy with OAuth Client Subroutine

I have a per request policy with a URI that is protected with a OAuth Client Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token My p...
APM SSO OAuth
devops
  • Juergen_Mang's avatar
    Juergen_Mang
    Jan 31, 2023

    You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

    Don't forget to set:

    ACCESS::restrict_irule_events disable
AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus

I had thought of that and I have tried that previously to override default APM actions, but found that those events are called even with

ACCESS::restrict_irule_events disable

I will give it another go just in case, but previous experience tells me no - think i had it confirm from F5 support as well - but it been a while

Juergen_Mang's avatar
Juergen_Mang
Icon for MVP rankMVP
Feb 01, 2023

This had always worked in my projects.

  • AlexS_yb's avatar
    AlexS_yb
    Icon for Cirrocumulus rankCirrocumulus
    Feb 05, 2023

    Seems to be working I will need to go back and check out what happened before

    Any way for the record.

    in HTTP_REQUEST

    "/xxxx/1.0/*" {

    if { [HTTP::header "clientless-mode"] equals "1" } {
    log local0. "set flags for [HTTP::path]"
    set clmodeflag 1
    set unAuthFlag 1
    }

    don't forget to set those to 0 at the start of any request

    1 that clientless-mode is set

    1 flag to say send 401 instead of 302

    then

    when HTTP_RESPONSE_RELEASE {
    if { ( [HTTP::status] == 302) && ( $clmodeflag == 1 ) && ( $unAuthFlag == 1 ) } {
    # want to send 401 instead of 302
    HTTP::respond 401
    }

    }