Forum Discussion

Olivier_Beytrison's avatar
Apr 19, 2023
Solved

APM & Azure AD Oauth : using JWT values

Hello,

I've successfully setup Azure AD Oauth with APM using this guide : https://my.f5.com/manage/s/article/K53313351

After logging in, I see (with the Oauth trace plugin for chrome) that Azure AD returns a JWT containing my username, firstname, lastname, preffered_username ect.

I'd like to use those information to identify the session in APM (currently the sessions doesn't display any username), and also send some of those values back to the app.

What are the required steps to map the preffered_username in the JWT as the session username in APM ?

Thanks for your help !

  • Olivier_Beytrison's avatar
    Olivier_Beytrison
    Apr 20, 2023

    Ok found the solution.

    In the access policy, I forgot to add "user.read profile" in the scope for the Oauth block.

    Now I can see all JWT values in the session variables.

4 Replies

  • The JWT claims are accessible though APM session variables, e.g. session.oauth.client.last.id_token.unique_name. Simply look at the session variables and use this directly or assign it through a variable assign agent to an another variable.

    • Olivier_Beytrison's avatar
      Olivier_Beytrison
      Icon for Altocumulus rankAltocumulus

      Thanks Juergen for your reply.

      I never saw any values of the JWT in the session variables. Which is kinda weird.

      So when digging further, I can see that in fact, no JWT is returned during a normal authentication. 

      Which steps needs to be done on APM to request a JWT ?

      The flow is the following (output from OauthFlows on chrome) (data has been obfuscated for privacy)  : 

      Request 1 {
      Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
      date: "2023-04-20T06:28:34.747Z",
      originator: "https://app.myhost.com/",
      redirectURL: {
      baseURL: "/my.policy..."
      },
      postData: "No POST"
      }

      Request 2 {
      Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
      date: "2023-04-20T06:28:34.787Z",
      originator: "https://app.myhost.com/my.policy",
      redirectURL: {
      baseURL: "https://login.microsoftonline.com:443/<<tenant_id>>/oauth2/v2.0/a...",
      client_id: "<<client_id>>",
      redirect_uri: "https://app.myhost.com/oauth/client/redirect",
      response_type: "code",
      scope: "openid offline_access",
      state: "scrambled",
      nonce: "scrambled"
      },
      postData: "No POST"
      }

      Request 3 {
      Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
      date: "2023-04-20T06:28:34.810Z",
      originator: "https://login.microsoftonline.com/<<tenant_id>>/oauth2/v2.0/authorize?client_id=<<client_id>>&redirect_uri=https%3A%2F%2Fapp.myhost.com%2Foauth%2Fclient%2Fredirect&response_type=code&scope=openid%20offline_access&state=scrambled&nonce=scrambled",
      redirectURL: {
      baseURL: "https://app.myhost.com/oauth/client/redirect?code=0.AQUAJPdyo7LAoE6r-w64xvhOQMUZCEwqUG...",
      code: "0.AQUAJPdyoscrambleda_Y2JLGEMOP7_jvauChDoYvhuV0SNaiH4cL0y9BdPmKosg2fIHNO6LDH6aeSVi0o3-shNW7IXwftrCEnu8n39u38ejKGtASR82iwB9VUpzQZRxMnaXRYosKIxn9DH_g1j_kN11SnP6CTYFPEbqVB0TCFqLrCUdoMbu1fZwzPhXFLjI8FlfBrw51GKA_MD4raTG96bHsg4OZ1v0PzHTIH_IgZiUOiqLgWJN_YTamV5PNLCrnYL7hKgQ",
      state: "5bPJXhN6AfzkpnznAa0accg",
      session_state: "11cdd02d-b7aa-4c0c-a851-e88feaa4f419"
      },
      postData: "No POST"
      }

      Request 4 {
      Explanation: "GET from ORIGINATOR(previous page) => REDIRECTURL(Current page)",
      date: "2023-04-20T06:28:34.971Z",
      originator: "https://app.myhost.com/oauth/client/redirect?code=0.AQUAJPdyo7LAoE6r-w64xvhOQMUZCEwqUGlNo3FLpQ_p9xUFACI.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P88PlRR4vySF8NkEu5Hw3Vom43JLKD9SeEQIEsseacj5ONBwAhuwZHvV485aKW2NL5XHzFhY_-Oscrambled1-e88feaa4f419",
      redirectURL: {
      baseURL: "/..."
      },
      postData: "No POST"
      }

      If more information are required on the configuration on the f5/apm or azure ad feel free to ask.

      Thanks in advance for your help

      • Olivier_Beytrison's avatar
        Olivier_Beytrison
        Icon for Altocumulus rankAltocumulus

        Ok found the solution.

        In the access policy, I forgot to add "user.read profile" in the scope for the Oauth block.

        Now I can see all JWT values in the session variables.

  • Where exactly did you add this "user.read profile"? I am usign the same guide and my troubleshooting shows the token also being rejected or flow being denied.