Forum Discussion
Ustrum
Cirrus
CirrusValidating JWT in per-request policy - subsession
Hello, I´m trying to configure a per-request policy within an api protection profile so I can validate JWT tokens before allowing the request. The first time a request comes in it works like charm,...
Thanks for the suggestion about gating criteria, I was finally able to work it around by:
- Triggering an iRule event on every request before the oauth scope subroutine
- Assigning perflow.custom a random value within the ACCESS_PER_REQUEST_AGENT_EVENT event
- Seting the gating criteria to perflow.custom
Needless to say, this is far too twisted for my taste, specially when the docs mention it should work by simply setting the subroutine Max Subsession Life to 0, which I am unable to set to 0 even by patching the object directly calling the iControl API I get a similar error as in the gui ("01070734:3: Configuration error: The max subsession life timeout must range from 60 to 604800 seconds.") so it might be an internal validation.
Nikoolayy1
MVP
MVPStange the the Max Subsession life is 0 and it writen:
-
Specify theMax Subsession Lifein seconds.This is the number of seconds after the session is validated when the session is considered expired, and the subroutine must be revalidated if a request occurs. The default is 900 seconds (15 minutes). If this is set to 0, the subroutine must be revalidated on every request.https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/implementing-device-posture-checks/configuring-subroutine-settings.htmlhttps://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/using-step-up-authentication/overview-configuring-policies-for-step-up-authentication/specifying-how-often-a-user-must-step-up.htmlThis if I read it correcly should do what you want.Outside of this being a bug maybe also see your perflow gating criteria:
UstrumCirrus
CirrusThanks for the suggestion about gating criteria, I was finally able to work it around by:
- Triggering an iRule event on every request before the oauth scope subroutine
- Assigning perflow.custom a random value within the ACCESS_PER_REQUEST_AGENT_EVENT event
- Seting the gating criteria to perflow.custom
Needless to say, this is far too twisted for my taste, specially when the docs mention it should work by simply setting the subroutine Max Subsession Life to 0, which I am unable to set to 0 even by patching the object directly calling the iControl API I get a similar error as in the gui ("01070734:3: Configuration error: The max subsession life timeout must range from 60 to 604800 seconds.") so it might be an internal validation.
- Nikoolayy1
Has the F5 supported helped arround this issues?
Also as a workaround you can try setting the perflow.custom with a variable assign agent and not an irule.
- Ustrum
After quite a long time waiting I got a response from support, and it was quite dissapointing, saying that the doc has to be "interpreted":
The document states that "If this is set to 0, the subroutine must be revalidated on every request.". And we should read that statement that way: "if this could be set to 0, the subroutine would need to be revalidated on every request".
Then mentioning a couple of internal docs I don´t have access to, and stating it might be possible to set the Max Subsession Lifetime to 0 once an RFE is implemented, and suggesting I could purchase professional services to find a workaround for me (not needed since I already got one).
Good idea about the variable assign agent, saves me from the trigger and irule code, it does work indeed, thanks for that!
- Nikoolayy1
If you managed to get the needed answers, please flag the question as answered.
- Nikoolayy1
The error is saying timeout for some reason and the articles show that 0 should be possible so for me it seem as a bug that could be solved with newer versions but you made a nice workaround.