Refresh token introspect

MVP

Jun 27, 2023

Dmitriy_Sysoev I had some time to play with this.

As the tokens are encrypted you will need to use a variable assign agent to decrypt them and then you can display them with sessiondump or in the GUI with a ''message box'' agent or in the logs with a "Logging" agent etc. You can use even API as the session dump is a linux command:

https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_command_module.html

This article will give you the idea and by adding the refresh token in the logs, even after the session is over you can see the token in the /var/log/apm or in a SIEM if you are sending the logs to a syslog server but be carefull with the security concerns ! :

https://my.f5.com/manage/s/article/K07645403

https://my.f5.com/manage/s/article/K11123

[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep token
e233abe6.session.oauth.client./Common/AS-Opaque-Test.access_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.refresh_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.token_type 6 Bearer
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.access_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.refresh_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.token_type 6 Bearer
e233abe6.session.oauth.client.last.access_token 10 **********
e233abe6.session.oauth.client.last.refresh_token 10 **********
e233abe6.session.oauth.client.last.token_type 6 Bearer

[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep custom
e233abe6.session.client.browscap_info 103 uimode=0&ctype=Mozilla&cversion=5&cjs=1&cactivex=0&cplugin=0&cplatform=Win10&cpu=x64&ccustom_protocol=1
e233abe6.session.client.custom_protocol 1 1
e233abe6.session.custom.refresh 64 68bee27f2978728636b7a680063216b40df3c0fc2ce0773ca1ef677e8c4e2169
[root@bigip3:Active:Standalone] config #

Forum Discussion

Refresh token introspect

Recent Discussions

F5 looses the token for the first call

ports are showing open on online scanning tool

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

Related Content

iControl REST Authentication Token Management

set TOKEN [getfield [HTTP::uri]

JSON Web Token (JWT) Parser

Demystifying iControl REST Part 6: Token-Based Authentication

APM Oauth AS Opaque Token Introspection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS