cancel
Showing results for 
Search instead for 
Did you mean: 

ERR_CONN_RESET - VS - OAuth Client

julienb
Nimbostratus
Nimbostratus

Hello everyone,

 

I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing.

 

The process :

The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token.

 

The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process.

 

What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token.

 

Thank you in advance.

15 REPLIES 15

The apptest.example.com is a with a Redirect ending to appauth.example.com or multydomain SSO config is used?

julienb
Nimbostratus
Nimbostratus

Hello, thank you for your reply.

 

Yes at the end of the apptest.example.com policy, it is a Redirect ending to another website (website.example.com)

So how the redirect to appauth.example.com happens and what you mean by (On the second F5) ? Another F5 device?

Hello,

No there is just 2 F5 ; One use as a client/resource server and the other as authorization server ; At the end of the Access Profile (Per-Session Policies), when the client passed trough the "OAuth client", the client is redirected to the website : website.example.com/ide_token=****** ;

 

0691T00000C2X6sQAF.png 

Thank you.

Hi,

 

can you share with us which F5 documentation / guide you followed? Just a link to it.

 

And can you share how your Resource Server (apptest.example.com (On the first F5)) is configured? Does it have an Access Profile (Per-Session Policy) and additionally a Per-Request Policy? How is it setup?

The behaviour of "delete the active session and after reload it works" makes me wonder if part of the config on the Resource Server is missing.

 

KR

Daniel

Hello and thank you,

 

You can find my reply below.

 

Best regards.

julienb
Nimbostratus
Nimbostratus

Hello,

This is the doc I followed : https://support.f5.com/csp/article/K14391041 ; But I changed some settings, for example my client want to use OpenID Connect with it. On apptest.example.com there is just one Access Profile (Per-Session Policy). Like this :

0691T00000C2X6sQAF.png

When the user connects for the first time and pass it through, it works, but when he has an active session he can't connect to apptest.example.com, I have an error "Secure Connection Failed" ... An error occured during a connection to apptest.example.com. PR_CONNECT_RESET_ERROR

The only "workaround" I found for the moment is to delete the active session at the end of the Access Profile (when I redirect the user to the website). But it means that I can't see his session on the F5.

PS : I see nothing in the Access Profile logs, so it means (I think) that is related to the Virtual Server and not the Access Profile.

 

Best regards.

Hello,

your answer is quite comprehensive, I will go through it...

Meanwhile, did you do a traffic capture on the F5 or on the client? On the F5 you can decrypt the SSL and you can also log the reset cause. It's definitely worth to investigate the reason for the connection reason.

 

KR

Daniel

Hello and thank you.

 

I will investigate.

 

Best regards.

F5 has a great article for this:

 

https://support.f5.com/csp/article/K06028005

 

 

Also with httpwatch or fiddler you can check if you see a response but the blowser maybe has issues to show it as it said the the connection is reset by chrome maybe it is not the F5.

 

 

https://support.f5.com/csp/article/K45654620

 

 

For OAuth to decode the answer if you think is need I found this tool. I have such tools to decode SAML messages. For Oauth message decode the F5 has an article for such things:

 

 

https://support.f5.com/csp/article/K35932460

 

Also this can be used:

 

https://oauth.tools/

julienb
Nimbostratus
Nimbostratus

Here is the doc I made, the first one is the Internal WAF, this F5 will act as the Authorization Server :

0691T00000C2XCHQA3.png0691T00000C2XCMQA3.png0691T00000C2XCRQA3.png0691T00000C2XCWQA3.png

julienb
Nimbostratus
Nimbostratus

And here the doc about the second F5, acting as the Client.

0691T00000C2XDoQAN.png0691T00000C2XDtQAN.png0691T00000C2XDyQAN.png0691T00000C2XE7QAN.png0691T00000C2XE8QAN.png

Hi  ,

 

did you get any further with this? I managed to get it going following strictly https://support.f5.com/csp/article/K14391041.

I will adjust my setup throughout the weekend to add the configuration required for JWT and will test further.

Any results from taking a tcpdump or maybe you can change the Log profile to debug level for OAuth?

 

KR

Daniel

Just to clarify that I am not missing something important - you want to achieve the following:

 

Client goes to https://app.example.com (Resource Server).

Is redirected to https://auth.example.com (Authentication Server), client authenticates with <whatever>, receives token.

Is redirected back to https://app.example.com and authenticates there once with the token received from the Authentication Server.

The client then receives the APM cookies and no further token is required.

 

Is that correct? Because I got this working with your settings from above.

Only thing I have different is the cookie settings and some minor stuff like username instead of mail.

 

Anything obvious that might be off in your config? Like mixing http and https or IP and FQDN, or something off with your DNS config in apm-dns-resolver?

 

Hello,

 

Sorry for the late reply, I was busy with other projects.

 

The process (for the moment) is :

  • The user goes to apptest.example.com (RS)
  • He is redirect to appauth.example.com (AS)
    • The client authenticates
  • Then he is redirect to webapp.example.com (the website) with a token
  • And yes he gets an APM cookie

 

The client is redirected to the IP of the website (webapp.example.com = 10.0.0.4) instead of a FQDN, but everything use HTTPS.

 

Thank you for your time.

 

Best regards.