Forum Discussion
Validating JWT in per-request policy - subsession
- Jul 08, 2022
Thanks for the suggestion about gating criteria, I was finally able to work it around by:
- Triggering an iRule event on every request before the oauth scope subroutine
- Assigning perflow.custom a random value within the ACCESS_PER_REQUEST_AGENT_EVENT event
- Seting the gating criteria to perflow.custom
Needless to say, this is far too twisted for my taste, specially when the docs mention it should work by simply setting the subroutine Max Subsession Life to 0, which I am unable to set to 0 even by patching the object directly calling the iControl API I get a similar error as in the gui ("01070734:3: Configuration error: The max subsession life timeout must range from 60 to 604800 seconds.") so it might be an internal validation.
To provide further info, the docs say that the Max Subsession Life should be set to 0 for the subroutine to be revalidated on every request, but the GUI doesn´t let me set it to 0:
- Nikoolayy1Jul 08, 2022MVP
Stange the the Max Subsession life is 0 and it writen:
-
Specify theMax Subsession Lifein seconds.This is the number of seconds after the session is validated when the session is considered expired, and the subroutine must be revalidated if a request occurs. The default is 900 seconds (15 minutes). If this is set to 0, the subroutine must be revalidated on every request.https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/implementing-device-posture-checks/configuring-subroutine-settings.htmlhttps://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/using-step-up-authentication/overview-configuring-policies-for-step-up-authentication/specifying-how-often-a-user-must-step-up.htmlThis if I read it correcly should do what you want.Outside of this being a bug maybe also see your perflow gating criteria:
- UstrumJul 08, 2022Cirrus
Thanks for the suggestion about gating criteria, I was finally able to work it around by:
- Triggering an iRule event on every request before the oauth scope subroutine
- Assigning perflow.custom a random value within the ACCESS_PER_REQUEST_AGENT_EVENT event
- Seting the gating criteria to perflow.custom
Needless to say, this is far too twisted for my taste, specially when the docs mention it should work by simply setting the subroutine Max Subsession Life to 0, which I am unable to set to 0 even by patching the object directly calling the iControl API I get a similar error as in the gui ("01070734:3: Configuration error: The max subsession life timeout must range from 60 to 604800 seconds.") so it might be an internal validation.
- Nikoolayy1Aug 06, 2022MVP
Has the F5 supported helped arround this issues?
Also as a workaround you can try setting the perflow.custom with a variable assign agent and not an irule.
-
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com