cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to add tenant ID check to existing if loops for redirects

sricharan61
Cirrus
Cirrus

I need to add an additional check to look for a tenant ID that will be set through an access policy assigned to the VIP, before redirecting to either of two destinations. Currently, I have this code running as mentioned below, since we did not want to have two different trigger paths to be coded as part of the requests for logout we are being asked to check for the tenant ID for the respective logged in user and use that to redirect to either of the two destinations for azure logout, using the same single trigger path of logout-apm instead of having the developers code -apm and apm-b2c for us to be able distinguish the trigger to either of the destinations.

 

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/logout-apmb2b" } {

  if { [HTTP::uri] contains "post_logout_redirect_uri" } {

   set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]

   # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

   HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

  }

   else {

     # log local0. "logout uri not contains post_logout_redirect_uri parameter"

     HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"

   }

  }

    elseif { [HTTP::uri] starts_with "/logout-apmb2c" } {

  if { [HTTP::uri] contains "post_logout_redirect_uri" } {

   set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]

   # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

   HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

  }

   else {

     # log local0. "logout uri not contains post_logout_redirect_uri parameter"

     HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"

   }

  }

}

 

 

where

 

bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx ( the b2c azure tenant id we are using )

https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue  ( the custom logoutpath for azureb2c)

 

 

I tried this as a possible solution

 

 

 

 

when HTTP_REQUEST {

 

set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]

 

log local0. "tid value is $tid"

 

if { [HTTP::uri] starts_with "/logout-apm" } {

 

 if { [HTTP::uri] contains "post_logout_redirect_uri" && $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx"} {

 

   

 

  set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]

 

  # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

  HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

 }

 

 

 

 }

 

  elseif { [HTTP::uri] starts_with "/logout-apm" } {

 

 if { [HTTP::uri] contains "post_logout_redirect_uri" && $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } {

 

  set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]

 

  # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

  HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

 }

 

  else {

 

   # log local0. "logout uri not contains post_logout_redirect_uri parameter"

 

   HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"

 

  }

 

 }

 

}

 

but the redirects are failing with this code.

4 REPLIES 4

cjunior
Nacreous
Nacreous

Hey,

Analysing your code, I found a unreachable condition:

 

if { [HTTP::uri] starts_with "/logout-apm" } {

}

elseif { [HTTP::uri] starts_with "/logout-apm" } {

}

 

Maybe a typo?

Well, my understood on this case drive me to this code:

when HTTP_REQUEST { set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] log local0. "tid value is $tid"   if { [HTTP::uri] starts_with "/logout-apm" } { if { [HTTP::uri] contains "post_logout_redirect_uri"} { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] if { $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx" } { HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" return } elseif { $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } { HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" return } } HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } }

Am I right and fix that?

 

Regards.

sricharan61
Cirrus
Cirrus

I have hashed the tenant ids on purpose, yes, the ask is to check for another parameter as an if on top of two existing conditions, but, in a set of two ifs as an "and" and followed by another if , incase the first is matched, I was able to accomplish this with this code

 

if { [HTTP::uri] starts_with "/logout-apm" and $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx"}

{

   

   if { [HTTP::uri] contains "post_logout_redirect_uri" }

 

Thanks

So, does that mean you solve this case or you still need help some way?

Regards.

It is resolved now, thanks for your help!😊