Advanced API Access Control with BIG-IP APM – Part III
Monitoring and managing Opaque tokens in the BIG-IP APM
When a user uses F5 BIG-IP APM for various OAuth roles, BIG-IP APM can provide useful monitoring information for users. Moreover, if the OAuth token is an opaque format, users can revoke the issued token in the OAuth Authorization Server.
a. Monitoring OAuth Server performance in an OAuth Authorization Server
BIG-IP UI >> Access >> Overview >> OAuth Reports >> Server
b. Monitoring and managing opaque tokens in an OAuth Authorization Server
BIG-IP UI >> Access >> Overview >> OAuth Reports >> Tokens
Opaque token revocation
One of the benefits of using the opaque token as a primary token format for OAuth is the ‘token revocation’. When an opaque token is used for the access token, the OAuth resource server needs to validate the token whenever they receive the token from the OAuth clients. Because of this behavior, an opaque token is normally considered not a scalable token option in the OAuth design. However, if any customers are considering a highly secure token management design, an opaque token can provide a more advanced token management to an organization because an organization can revoke the issued token if the token is leaked by an attacker.
By default, BIG-IP APM checks the opaque token’s validity every 60minutes when the BIG-IP APM runs as an OAuth Resource Server. We need to change this value to a shorter time than the token’s lifetime value. Since the token’s lifetime is set to 5 minutes by default, we will configure the ‘token validation interval’ to 1 minute.
a. Change the token validation time to 1 minute.
BIG-IP UI >> Access >> Federation >> OAuth Client / Resource Server >> OAuth Server
b. Obtain the access token from the OAuth client app and make sure the request is successful.
c. Go to the OAuth Authorization Server and select the issued token in the token monitoring dashboard.
d. Revoke the token
e. Try again to perform the API request from the OAuth client
Token revocation is the strong operational benefit of using an 'Opaque Token' if an organization uses it as a primary token format for OAuth design. However, an 'Opaque token' is considered a not scalable token option of an OAuth design. Resource Servers must check the validity of the access token with an OAuth Authorization Server whenever they receive the opaque token from the OAuth clients. This increase the overall latency and response time of the APIs. Moreover, it requires additional network transactions between an OAuth resource server and an OAuth Authorization Server for token validation purposes. It also requires high processing power and server resources of an OAuth Authorization Server side because the server has to manage an extensive access token database to control the token lifecycle. Because of all these reasons, JWT(JSON Web Token) is more widely adopted in many OAuth implementations. However, if an organization wants to implement highly secure token management for some APIs, they can apply 'Secure Token Translation' implementation using F5 BIG-IP APM. F5 BIG-IP APM can support flexible token translation and enrichment functions, for example, Opaque-to-JWT, JWT-to-JWT, and JWT-to-Opaque. This is another very interesting technical topic, and I'll cover this topic in another article.
F5 BIG-IP APM provides a powerful access control policy for APIs using OAuth scopes. An organization can easily implement advanced access control using BIG-IP APM to protect its API endpoints.