Forum Discussion

rodolfosalgado_'s avatar
rodolfosalgado_
Icon for Altostratus rankAltostratus
Jul 22, 2016

How BIG-IP Token/Authentication works ?

I'm unable to find anywhere here/documentation/articles anyone that could explain a little bit better the authentication token when you get the response from the Rest.

I'm sending the POST to the Rest, and the Rest is returning the Authentication.

Here is an example:

token            : AD2GKZPXKVTE4WKJEQUZTIPOM3
name             : AD2GKZPXKVTE4WKJEQUZTIPOM3
userName         : admin
authProviderName : tmos
user             : ...
groupReferences  : ...
timeout          : 1200
startTime        : 2016-07-22T09:24:11.808-0500
address          : 10.10.10.10
partition        : [All]
generation       : 1
lastUpdateMicros : 1469197451807722
expirationMicros : 1469198651808000
kind             : shared:authz:tokens:authtokenitemstate
selfLink         : https://localhost/mgmt/shared/authz/tokens/AD2GKZPXKVTE4WKJEQUZTIPOM3

Does anyone knows what is "lastUpdateMicros", "ExpirationMicros" and what is Timeout actually means ? I'm having several issues in my scripts when I call the Rest and the call just fail. If I try to get a new token the call works. I wonder if could be due the token is expired after is used once. Will the token expire only after 1200 seconds or that is not true ?

  • The token will timeout after 1200 seconds. All attempts to increase or remove that have been futile for me.

     

    • ekaleido's avatar
      ekaleido
      Icon for Cirrus rankCirrus

      That is my experience. If you create the token every time you call the API, you should get the same token until the 1200 seconds is up. So be sure to always generate the token and insert the token as the header and you'll be able to account for when it expires and becomes a new value.

       

    • Satoshi_Toyosaw's avatar
      Satoshi_Toyosaw
      Historic F5 Account

      A different token is generated for every request as far as I checked. Tested on 12.1.2 and 13.0.0. The behaviour may be different in a different version. Please post the version number you tested if you can, so I can verify.

      Here's a test one-liner:

      for i in `seq 1 30`; do curl -sk -X POST -H "Content-type: application/json" \
       https:///mgmt/shared/authn/login \
       -d '{"username":";", "password":";", "loginProviderName":"tmos"}' | \
       python -m json.tool | fgrep '"token": "' | sort | uniq -c; done
      

      To get a list of currently available tokens, run:

      curl -sku admin: https:///mgmt/shared/authz/tokens
      
  • The token will timeout after 1200 seconds. All attempts to increase or remove that have been futile for me.

     

    • rodolfosalgado_'s avatar
      rodolfosalgado_
      Icon for Altostratus rankAltostratus

      Can you do as many calls as you want during this 1200 time window?

       

    • ekaleido_26616's avatar
      ekaleido_26616
      Icon for Cirrocumulus rankCirrocumulus

      That is my experience. If you create the token every time you call the API, you should get the same token until the 1200 seconds is up. So be sure to always generate the token and insert the token as the header and you'll be able to account for when it expires and becomes a new value.

       

    • Satoshi_Toyosaw's avatar
      Satoshi_Toyosaw
      Historic F5 Account

      A different token is generated for every request as far as I checked. Tested on 12.1.2 and 13.0.0. The behaviour may be different in a different version. Please post the version number you tested if you can, so I can verify.

      Here's a test one-liner:

      for i in `seq 1 30`; do curl -sk -X POST -H "Content-type: application/json" \
       https:///mgmt/shared/authn/login \
       -d '{"username":";", "password":";", "loginProviderName":"tmos"}' | \
       python -m json.tool | fgrep '"token": "' | sort | uniq -c; done
      

      To get a list of currently available tokens, run:

      curl -sku admin: https:///mgmt/shared/authz/tokens
      
  • It is possible to modify the timeout once a token is obtained. This is achieved using the PATCH method.

    Get a token (from a external auth provider in this example):

    curl -s -k -u admin:changeme -X POST -H "Content-Type: application/json" -d '{ "username": "mrajagopal", "password": "changeme1234", "loginProviderName": "tmos"}' https://10.154.170.18/mgmt/shared/authn/login
    

    Update the token with preferred timeout (max: 36000) value using the self-link key provided in the response:

    curl -sk https://10.154.170.18/mgmt/shared/authz/tokens/Y43RS3JJLFXFH3FRT4PVZQOUOJ -H "X-F5-Auth-Token: Y43RS3JJLFXFH3FRT4PVZQOUOJ" -X PATCH -d '{"timeout" : 4200}'
    

    The 'lastUpdateMicros' key in the response is the unix timestamp of when this token was modified as we did to adjust the timeout.

    While the 'expirationMicros' key is the unix timestamp of when this token will expire.

  • In case you want to use BIG-IQ as REST proxy you are forced to use a token.

    Please see Ask F5 article "K04452074: Overview of using the BIG-IQ system authentication token". The token timeout of 300 seconds is hard coded.

    A token can be requested via REST as shown below.

    An object is returned containing a key named "token".

    The value of token is another object containing the token key and value and other elements.

    To filter the token string the following syntax might be used on shell:
    curl -sk -X POST -H "Content-Type: application/json" -d '{"username":"", "password":""}' "https:///mgmt/shared/authn/login" | \
    grep -oP '(?<="token":)\{("[^"]*":\s*("[^"]*"|[^",]*|\{[^}]*\}|\[[^]]*\]),?)*\}' | grep -oP '(?<="token":")[^"]*'
    
    • Andre_Nurwono's avatar
      Andre_Nurwono
      Icon for Employee rankEmployee
      IPADDR='127.0.0.1'; \
      TOKEN=`curl -sku admin:admin https://$IPADDR/mgmt/shared/authn/login -X POST -H "Content-Type: application/json" -d '{"username":"admin", "password":"admin", "loginProviderName":"tmos"}' | jq -r '.token.token'` ; \
      curl --trace-time -vvv -sk -X GET https://$IPADDR/mgmt/shared/identified-devices/config/device-info -H "X-F5-Auth-Token: $TOKEN";
      

      I love the filter!
      There's also the jq util which can parse json.  This example then reuses it in a subsequent call.

  • For more information on the authentication token, refer to the following documents.

    ... I know. The docs do not define what

    lastUpdateMicros
    and
    ExpirationMicros
    fields mean ... but we can certainly guess. Try EpochConvertet. If you are using the python API, try

    >>> import time
    >>> time.gmtime(1386701529797298/10**6)
    time.struct_time(tm_year=2013, tm_mon=12, tm_mday=10, tm_hour=18, tm_min=52, tm_sec=9, tm_wday=1, tm_yday=344, tm_isdst=0)
    
  • Got it. From 13.1.0, the maximum number of authentication tokens a non-admin user can obtain is limited to 100. The default life of a token is 30 min, so after that, you should be able to create a new token. It is recommended to reuse the token to avoid the error.