Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How can i use oAuth session variables in APM policy to decide which ACL can be assigned

sricharan61
Cirrus
Cirrus

‎23-Oct-2019 16:16

I am trying to create a policy where i can try and grab the session variable 'session.oauth.client.last.id_token.groups' that the Oauth client agent gets and use that to decide which ACL can be assigned to the user based on the group ID value of that session variable. I am not seeing any options in the assignment tab of the policy parameters that can leverage this session variable information.

Labels:
0 Kudos
5 REPLIES 5

iaine
MVP
MVP

‎24-Oct-2019 03:20

Hi

 

Have you tried adding an expression to the Resource Assign object? So something like

 

0691T000005nKY1QAM.jpg

0 Kudos

sricharan61
Cirrus
Cirrus
In response to iaine

‎24-Oct-2019 09:11

Hi Iaine

 

I tried setting up the configuration like this.

expr {[mcget {session.oauth.client.last.id_token.groups}] =="xxxxxxx-xxxx-xxxx-x-xx"}

Static ACLs: /Common/test

Add/Delete

 

also

 

expr {[mcget {session.oauth.client./Common/AzureADB2BOauthprov.id_token.g roups}]== "xxxxxx-xxxx-xxxx-xxx-xxxxxx"}

Static ACLs: /Common/test

Add/Delete

 

as i saw both these entries in the access logs for the groups information in different session variable names.

 

but i do not see the resource assign parameter logs invoking a match for these expressions to send to ACL in the access logs

 

0 Kudos

iaine
MVP
MVP

‎25-Oct-2019 06:44

Dumb question I know, but is the resource assigning happening after the oauth call?

 

Have you tried outputing the variables to a message box just prior to the acl assignment to ensure that the variables are present and correct? https://support.f5.com/csp/article/K11123

0 Kudos

sricharan61
Cirrus
Cirrus

‎01-Nov-2019 11:36

Hi Iaine

 

Looks like its working, its just that the logs is are not showing the exact match happening by the condition we are setting. It simply shows what ACL was assigned. I set up a logging message after the oauth client to be able to see that user group match logged in the session logs.

0 Kudos

Richard_Tocci
F5 Employee
F5 Employee

‎14-Oct-2020 13:36

Turning on debug logging in the APM logging profile would have shown this activity.

 

General rule of thumb - if you don't see it in the logs, turn on debug and you will.

0 Kudos
Copyright © 2023 Khoros, LLC