Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ERR_CONN_RESET - VS - OAuth Client

julienb
Nimbostratus
Nimbostratus

‎24-Mar-2021 03:07

Hello everyone,

 

I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing.

 

The process :

The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token.

 

The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process.

 

What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token.

 

Thank you in advance.

Labels:
0 Kudos
15 REPLIES 15

Nikoolayy1
MVP
MVP

‎24-Mar-2021 06:14

The apptest.example.com is a with a Redirect ending to appauth.example.com or multydomain SSO config is used?

0 Kudos

julienb
Nimbostratus
Nimbostratus

‎24-Mar-2021 06:17

Hello, thank you for your reply.

 

Yes at the end of the apptest.example.com policy, it is a Redirect ending to another website (website.example.com)

0 Kudos

Nikoolayy1
MVP
MVP
In response to julienb

‎24-Mar-2021 12:32

So how the redirect to appauth.example.com happens and what you mean by (On the second F5) ? Another F5 device?

0 Kudos

julienb
Nimbostratus
Nimbostratus
In response to Nikoolayy1

‎29-Mar-2021 05:28

Hello,

No there is just 2 F5 ; One use as a client/resource server and the other as authorization server ; At the end of the Access Profile (Per-Session Policies), when the client passed trough the "OAuth client", the client is redirected to the website : website.example.com/ide_token=****** ;

 

0691T00000C2X6sQAF.png 

Thank you.

0 Kudos

Daniel_Wolf
MVP
MVP

‎24-Mar-2021 13:48

Hi,

 

can you share with us which F5 documentation / guide you followed? Just a link to it.

 

And can you share how your Resource Server (apptest.example.com (On the first F5)) is configured? Does it have an Access Profile (Per-Session Policy) and additionally a Per-Request Policy? How is it setup?

The behaviour of "delete the active session and after reload it works" makes me wonder if part of the config on the Resource Server is missing.

 

KR

Daniel

0 Kudos

julienb
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎29-Mar-2021 06:03

Hello and thank you,

 

You can find my reply below.

 

Best regards.

0 Kudos

julienb
Nimbostratus
Nimbostratus

‎29-Mar-2021 05:35

Hello,

This is the doc I followed : https://support.f5.com/csp/article/K14391041 ; But I changed some settings, for example my client want to use OpenID Connect with it. On apptest.example.com there is just one Access Profile (Per-Session Policy). Like this :

0691T00000C2X6sQAF.png

When the user connects for the first time and pass it through, it works, but when he has an active session he can't connect to apptest.example.com, I have an error "Secure Connection Failed" ... An error occured during a connection to apptest.example.com. PR_CONNECT_RESET_ERROR

The only "workaround" I found for the moment is to delete the active session at the end of the Access Profile (when I redirect the user to the website). But it means that I can't see his session on the F5.

PS : I see nothing in the Access Profile logs, so it means (I think) that is related to the Virtual Server and not the Access Profile.

 

Best regards.

0 Kudos

Daniel_Wolf
MVP
MVP
In response to julienb

‎29-Mar-2021 08:22

Hello,

your answer is quite comprehensive, I will go through it...

Meanwhile, did you do a traffic capture on the F5 or on the client? On the F5 you can decrypt the SSL and you can also log the reset cause. It's definitely worth to investigate the reason for the connection reason.

 

KR

Daniel

julienb
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎30-Mar-2021 01:49

Hello and thank you.

 

I will investigate.

 

Best regards.

0 Kudos

Nikoolayy1
MVP
MVP
In response to Daniel_Wolf

‎30-Mar-2021 03:49

F5 has a great article for this:

 

https://support.f5.com/csp/article/K06028005

 

 

Also with httpwatch or fiddler you can check if you see a response but the blowser maybe has issues to show it as it said the the connection is reset by chrome maybe it is not the F5.

 

 

https://support.f5.com/csp/article/K45654620

 

 

For OAuth to decode the answer if you think is need I found this tool. I have such tools to decode SAML messages. For Oauth message decode the F5 has an article for such things:

 

 

https://support.f5.com/csp/article/K35932460

 

Also this can be used:

 

https://oauth.tools/

0 Kudos

julienb
Nimbostratus
Nimbostratus

‎29-Mar-2021 05:50

Here is the doc I made, the first one is the Internal WAF, this F5 will act as the Authorization Server :

0691T00000C2XCHQA3.png0691T00000C2XCMQA3.png0691T00000C2XCRQA3.png0691T00000C2XCWQA3.png

0 Kudos

julienb
Nimbostratus
Nimbostratus

‎29-Mar-2021 05:59

And here the doc about the second F5, acting as the Client.

0691T00000C2XDoQAN.png0691T00000C2XDtQAN.png0691T00000C2XDyQAN.png0691T00000C2XE7QAN.png0691T00000C2XE8QAN.png

0 Kudos

Daniel_Wolf
MVP
MVP

‎03-Apr-2021 08:50 - last edited on ‎24-Mar-2022 01:22 by Fog

Hi  ,

 

did you get any further with this? I managed to get it going following strictly https://support.f5.com/csp/article/K14391041.

I will adjust my setup throughout the weekend to add the configuration required for JWT and will test further.

Any results from taking a tcpdump or maybe you can change the Log profile to debug level for OAuth?

 

KR

Daniel

0 Kudos

Daniel_Wolf
MVP
MVP
In response to Daniel_Wolf

‎04-Apr-2021 06:38

Just to clarify that I am not missing something important - you want to achieve the following:

 

Client goes to https://app.example.com (Resource Server).

Is redirected to https://auth.example.com (Authentication Server), client authenticates with <whatever>, receives token.

Is redirected back to https://app.example.com and authenticates there once with the token received from the Authentication Server.

The client then receives the APM cookies and no further token is required.

 

Is that correct? Because I got this working with your settings from above.

Only thing I have different is the cookie settings and some minor stuff like username instead of mail.

 

Anything obvious that might be off in your config? Like mixing http and https or IP and FQDN, or something off with your DNS config in apm-dns-resolver?

 

0 Kudos

julienb
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎09-Apr-2021 03:18

Hello,

 

Sorry for the late reply, I was busy with other projects.

 

The process (for the moment) is :

  • The user goes to apptest.example.com (RS)
  • He is redirect to appauth.example.com (AS)
    • The client authenticates
  • Then he is redirect to webapp.example.com (the website) with a token
  • And yes he gets an APM cookie

 

The client is redirected to the IP of the website (webapp.example.com = 10.0.0.4) instead of a FQDN, but everything use HTTPS.

 

Thank you for your time.

 

Best regards.

0 Kudos
Copyright © 2023 Khoros, LLC