17-Jan-2023 11:36 - edited 17-Jan-2023 11:37
Good afternoon. I have a token introspection response that looks like this. I would like the username to not be prepended with the APM access profile name (/Common/oauth.). any ideas on how I can achieve this? I would like it to just be bobsmith. Thanks in advance.
or better yet. add my own parameters to the introspection response.
{
"active":true,
"client_id":"12345",
"username":"/Common/oauth.bobsmith",
"token_type":"Bearer",
"exp":1673981397,
"iat":1673981097,
"nbf":1673980797,
"sub":"/Common/oauth.bobsmith",
"scope":"read"
}
19-Jan-2023 13:33
Hi @Erich_R_ - I've asked one of my colleagues to stop by this thread since you haven't gotten an answer from the community yet.
19-Jan-2023 13:58
Hi there. Hopefully, I can help.. What was your setup method? iApp? Manual?
19-Jan-2023 14:50
manual. Not sure why f5 has to be different from others and prepend the access policy name. I may have to ask the RS to strip it off. I know that it is not an identity token, but the RS needs to perform a user match on their side to determine which client submitted the request. Thanks.
19-Jan-2023 14:22
This is not real easy, but it is possible. There are two issues to contend with:
1- The built-in OAuth response cannot be modified directly inside of the configuration because the introspect response is hard-coded.
2- iRules cannot be applied directly to an APM virtual to modify its own self-response (such as logon pages, SAML, OAuth, etc). You can work around this by removing the clientSSL profile from the APM virtual and use an intremediate virtual server. You can think of it a little like "self SSL offload", but instead of using a pool, you use the iRule "virtual" command to switch the switch the flow to the APM VS. Then you can modify the response payload. This is the same issue faced in this old SAML DevCentral question:
So basically, you:
when RULE_INIT {
# Set below value to be the name of your OAuth AS virtual server
# After testing, remove or comment out all the log statements below to avoid clutter
set static::virtual_OAuth_server "/Common/my_oauth_as.app/my_oauth_as_vs"
}
when HTTP_REQUEST {
log local0. "[HTTP::host] [HTTP::method] [HTTP::uri]"
set uri [HTTP::uri]
set method [HTTP::method]
if {$method equals "POST" and $uri equals "/f5-oauth2/v1/introspect"} {
set is_introspect 1
} else {
log local0. "Not an introspect request"
}
virtual $static::virtual_OAuth_server
}
when HTTP_RESPONSE {
log local0. "response"
if { [info exists "is_introspect"] } {
if { [HTTP::header value Content-Length] <= 1048576 } {
set content_length [HTTP::header value Content-Length]
} else {
set content_length 1048576
}
if { $content_length > 0 } {
HTTP::collect $content_length
log local0. "response content collected: $content_length"
} else {
log local0. "cannot collect the content, length: $content_length"
}
}
}
when HTTP_RESPONSE_DATA {
log local0. "response data"
if { [info exists "is_introspect"] } {
# Put a regex below that represents the replacement you want to apply to APM's introspection response
# Any normal TCL string manipulation can be applied here
regsub "Common" [HTTP::payload] "Common-Replaced" fixeddata
log "Replacing payload with fixed data."
HTTP::payload replace 0 $content_length $fixeddata
HTTP::release
}
}
19-Jan-2023 14:52
Thank you for the detailed response. I appreciate it. I may have to resort to this if the RS cannot parse it out. I also included the username as a scope name with the %{session.logon.last.username} as the value. Maybe they can pull that out to match the user. Thanks again.
19-Jan-2023 14:55
No problem, glad to help. It's a complicated issue. APM is designed to support multi-tenancy so there are a lot of areas where there are seemingly unnecessary things (like "/Common") prepended to object names.
20-Jan-2023 00:20
Depending on what you trying to achieve, it could be easier to simple strip /Common/oauth. from the username with a VPE variable assign.