For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jan 31, 2023
Solved

Per Request access policy with OAuth Client Subroutine

I have a per request policy with a URI that is protected with a OAuth Client Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token My p...
APM SSO OAuth
devops
  • Juergen_Mang's avatar
    Juergen_Mang
    Jan 31, 2023

    You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

    Don't forget to set:

    ACCESS::restrict_irule_events disable
Juergen_Mang's avatar
Juergen_Mang
Icon for MVP rankMVP
Feb 01, 2023

This had always worked in my projects.

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Feb 05, 2023

Seems to be working I will need to go back and check out what happened before

Any way for the record.

in HTTP_REQUEST

"/xxxx/1.0/*" {

if { [HTTP::header "clientless-mode"] equals "1" } {
log local0. "set flags for [HTTP::path]"
set clmodeflag 1
set unAuthFlag 1
}

don't forget to set those to 0 at the start of any request

1 that clientless-mode is set

1 flag to say send 401 instead of 302

then

when HTTP_RESPONSE_RELEASE {
if { ( [HTTP::status] == 302) && ( $clmodeflag == 1 ) && ( $unAuthFlag == 1 ) } {
# want to send 401 instead of 302
HTTP::respond 401
}

}