Forum Discussion

Ustrum's avatar
Ustrum
Icon for Cirrus rankCirrus
Jul 08, 2022

Validating JWT in per-request policy - subsession

Hello,

I´m trying to configure a per-request policy within an api protection profile so I can validate JWT tokens before allowing the request.

The first time a request comes in it works like charm, but it also creates a subsession with a lifetime set by the values in the soubroutine where the oauth scope is done and, for the lifetime of this subsession, subsequent requests will be catched in the same subsession and processed according to the first evaluation of the policy, which means that if the JWT has changed (gone from valid to invalid or the other way around) or it is not there anymore at all, it will not matter and the result will be the same as that in the first request evaluation.

I´ve tried to change the lifetime of the session but the smallest value is 60 sec, and also tried to catch the session id in an irule and completely remove the session (ACCESS::session remove -sid $apm_session_id), and even to change some of the session data (ip address) witht the hope that the next request wouldn´t match the same session, but that is simply not working even though syntactically the irule is correct.

Is there a way to force every request to be evaluated against the per-request policy independently instead of going through the same sub-session?

TIA,

Pablo

  • Ustrum's avatar
    Ustrum
    Jul 08, 2022

    Thanks for the suggestion about gating criteria, I was finally able to work it around by:

    • Triggering an iRule event on every request before the oauth scope subroutine
    • Assigning perflow.custom a random value within the ACCESS_PER_REQUEST_AGENT_EVENT event
    • Seting the gating criteria to perflow.custom

    Needless to say, this is far too twisted for my taste, specially when the docs mention it should work by simply setting the subroutine Max Subsession Life to 0, which I am unable to set to 0 even by patching the object directly calling the iControl API I get a similar error as in the gui ("01070734:3: Configuration error: The max subsession life timeout must range from 60 to 604800 seconds.") so it might be an internal validation.