CirrusHow to add tenant ID check to existing if loops for redirects
I need to add an additional check to look for a tenant ID that will be set through an access policy assigned to the VIP, before redirecting to either of two destinations. Currently, I have this code running as mentioned below, since we did not want to have two different trigger paths to be coded as part of the requests for logout we are being asked to check for the tenant ID for the respective logged in user and use that to redirect to either of the two destinations for azure logout, using the same single trigger path of logout-apm instead of having the developers code -apm and apm-b2c for us to be able distinguish the trigger to either of the destinations.
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/logout-apmb2b" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
elseif { [HTTP::uri] starts_with "/logout-apmb2c" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
}
where
bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx ( the b2c azure tenant id we are using )
https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue ( the custom logoutpath for azureb2c)
I tried this as a possible solution
when HTTP_REQUEST {
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
log local0. "tid value is $tid"
if { [HTTP::uri] starts_with "/logout-apm" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" && $tid contains "bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx"} {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login-test.wecenergygroup.com/bbbbbbbb-vvvv-qqqq-yyyy-xxxxxxxxxxx/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
}
elseif { [HTTP::uri] starts_with "/logout-apm" } {
if { [HTTP::uri] contains "post_logout_redirect_uri" && $tid contains "uuuuuuuu-vvvv-qqqq-pppp-pppppppppp" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
}
but the redirects are failing with this code.
