Forum Discussion

Ustrum's avatar
Ustrum
Icon for Cirrus rankCirrus
Dec 22, 2022
Solved

Group based authorization + OAuth 2.0 client setup with APM

Hi all,

I am trying to configure an APM access policy to authenticate users using an oauth flow, integrated with Azure AD, with APM acting as client/RS as described in K42333110. So far so good, only users within my tenant can access the VS, but I am hitting a wall when trying to limit access to users within a specific AD group.

The AD App the APM is using to authenticate users is configured to include the groups the user requesting the token belongs to in the group calims field of the JWT, but I can´t see any field for "groups" or similar under the session variables, so I have nothing to base the authorization on. Now my questions would be:

- Is there a way to see the value of the access token requested by the APM as client application? when I do a session dump, the value of the token is obfuscated, just as in the session variables table

- Once I get (hopefully) a session variable with the value of the groups, can I use an oauth scope step, or do I need to use an irule and evaluate to make an access/deny decission in the per session policy?

TIA

  • > is there a way I can access the raw value of the access token for debugging purposes?

    I have done this always with the described message box.

6 Replies

  • > Is there a way to see the value of the access token requested by the APM as client application? when I do a session dump, the value of the token is obfuscated, just as in the session variables table

    You can use a Message Box in the VPE to display the session variable. Decoding can be done with jwt.io

    • Ustrum's avatar
      Ustrum
      Icon for Cirrus rankCirrus

      Thanks for your response! I think I didn´t explain myself, though: when I access the "session.oauth.client./Common/policy.access_token" value, it is obfuscated/encrypted, and it starts with $CK$$, so the question would rather be: is there a way I can access the raw value of the access token for debugging purposes?

  • > is there a way I can access the raw value of the access token for debugging purposes?

    I have done this always with the described message box.

  • As the SAML attributes on some versions are saved as "secure" data on the F5 I forgot when I played with this if Oauth token is the same way but as Juergen_Mang  said you can use the message box and mcget -secure to decrypt it and then use base64 decode site as this is the encoding.

    K07645403: Using mcget -secure to decrypt and display a password for troubleshooting auth issues.

    https://support.f5.com/csp/article/K07645403