cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Basic Auth to OAuth 2.0 Client proxy and vice versa

rudolfv
Nimbostratus
Nimbostratus

I am a bit of a dabbler in Big-IP configuration and iRules and not an expert, so please forgive any ignorance on my part.

 

I am wondering whether it is possible to use the F5 Big-IP APM to act as an authentication proxy that (1) receives requests with a Basic Auth header that is validated against either a list of static usernames and password or an Active Directory/LDAP server. After authenticating the request, the Big-IP should (2) request a token from an external OAuth 2.0 authorization server using the client_credentials grant type (or get an existing token from cache). This external authorization server does not support OIDC. After receiving the token it should (3) be added to the downstream request as an "Authorization: Bearer" header.

 

We would also like to have the reverse of the above, where a request is (4) received on the F5 with an OAuth 2.0 Bearer token which is then authenticated and (5) replaced by a Basic Auth header on the downstream request that leaves the F5.

 

From prior experience with a Big-IP appliance and custom iRules, I'm fairly certain that (1) and (5) are possible.

 

Regarding (2), when configured as an OAuth client, Access Policy Manager® (APM®) supports authorization code and resource owner password credentials grant types.

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/3...

 

However, it would seem that there is a workaround available to use a client_credentials grant type. But I'm not sure if the external authorization server not supporting OIDC, is going to be a problem.

https://devcentral.f5.com/s/articles/allow-support-of-grant-type-client-credentials-1161

 

Most of the use cases I have read up on seem to cover the Big-IP performing the OAuth 2.0 authentication on the incoming request/acting as a resource server instead of adding the token to the outgoing request as is required in (3).

 

There are some articles which almost seem to cover the topics I need, but not exactly:

https://devcentral.f5.com/s/feed/0D51T00006i7jtFSAQ

https://clouddocs.f5.com/training/community/iam/html/class2/module2/module2.html

 

This iRule function also seems to provide a mechanism for caching OAuth 2.0 tokens, but where exactly the originate from is not completely clear to me:

https://clouddocs.f5.com/api/irules/ACCESS__oauth.html

 

In (3) it is certainly possible to add the "Authorization: Bearer" header in an iRule once it has been obtained, but I'm kind of stuck on how to obtain it in an iRule or link to the APM configuration elements.

 

Firstly, can someone please let me know if what I am asking is it all possible and secondly if you could provide some details on the murky/missing parts of my solution.

0 REPLIES 0