I am trying to setup Azure AD as the Oauth server for the APM policy i have on the F5. When using the authorization grant flow and testing a VIP using the policy. I see that the user is redirected to Azure for the Authorization and comes back to the reply back URI( the same F5 VIP ) but the login prompt from azure is stuck at the "do you want to stay signed in page" and never comes back to the vip at /oauth/client/redirect. I see the debugger tool shows the response back with the auth code to the reply back URI but the status code is shown as failed instead of 302. After a while the bigip logout page pops up. The session logs show this error message
/Common/testazurexxxxx:Common:xxxxx:/Common/testazureADredirect_act_oauth_client_ag: OAuth Client: failed for server '/Common/Azurexxxx' using 'authorization_code' grant type (client_id=xxxxx-x-x-x-x-x-x-x), error: HTTP error 503, DNS lookup failed
I have added the DNS resolver as a abc.example.com and have it set to forward all dns traffic to the local dns server x.x.x.x on port 53. using . in the forward zone but the issue still remains. Let me know what might be causing this and what is the probable fix for this.
Did you ever figure this out?
We're running into a similar issue where we see "HTTP error 503, DNS lookup failed" when attempting to hit an introspection service to validate an oauth token.
I'd like to read more about what this DNS Resolver actually does because from what we've seen, it's makes no difference whatsoever.
sorry no solution for initial problem, but do you see a DNS request going out of the big-ip? either via TMM or mgmt interface?
can't find a good K article on the DNS resolver configuration. i see it as a way to use different DNS servers then the one you configure for the box. also that traffic will always go via the TMM interfaces.