Forum Discussion

Tony_Drane_9358's avatar
Tony_Drane_9358
Icon for Nimbostratus rankNimbostratus
Jul 09, 2009

BigIP Changing Oauth String from HTTPS to HTTP

Hi. I am having issues with an Oauth transaction over SSL. There is a secure cert installed on my BigIP. When I try to authorize an Oauth transaction over SSL, the BigIP changes the Oauth request from HTTPS to HTTP when it passes the string to the server. For example, the request to the BigIP https://mycompany.com/api/1.0/myapp/myrequest?oauth_***** becomes http://mycompany.com/api/1.0/myapp/myrequest?oauth_***** when it is passed to my server for a token request. This is in turn corrupts the string and the OAuth verification fails. Would something like this work?

 

 

when HTTP_REQUEST_DATA {

 

regsub "https://mycompany.com/*" [HTTP::payload] "https://mycompany.com/*" fixeddata

 

HTTP::payload replace 0 [HTTP::payload $clen] $fixeddata

 

HTTP::release

 

}

 

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 09, 2009
    Is the issue that the server checks which protocol (or port) the request was sent over? Or is there something within the HTTP headers or HTTP payload that (also?) indicates the request to the server wasn't over SSL?

     

     

    I tried skimming through the Oauth guide here, http://www.hueniverse.com/hueniverse/2008/10/beginners-guide.html, but didn't see this type of info there.

     

     

    Aaron
  • Tony_Drane_9358's avatar
    Tony_Drane_9358
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2009
    So I looked into oauth we are using on google and found: when constructing signature base string, the code uses a HTTP parameter to determine the scheme. And that parameter never carries the scheme info. For that case, the code always sets to http.

     

     

    Our eng team updated our server to determine if SSL is used for oauth and then change the connection to http using SHA1. This is working for us now. Also, I found out that verisgn sold us a corrupted cert so that didn't help much with troubleshooting. We can close this now.

     

     

    Thanks.