Monitoring Failure OAuth request

Hi,

Unfortunately, we occasionally have problems with oAuth authentications. Through the graph positioned in the path "Access ›› Overview : OAuth Reports : Client / Resource Server" we can see from the GUI the validation errors per second.

Is it possible to create alerts when there are validation errors? Or is it possible to query this information via SNMP?

Thanks

application delivery

James_Jinwon_Lee
Dec 14, 2022
tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below.

Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message.

buulam
Admin
Dec 13, 2022
HI tub91 , I'm asking around about this one. I couldn't find a clear solution myself but perhaps there is something out there I've missed
- tub91
  Cirrus
  Dec 13, 2022
  Hi buulam
  Thanks, I hope you can find something
James_Jinwon_Lee
Employee
Dec 14, 2022
Hello tub91

If APM fails to the token validation, you can find the error log in the access policy logging.

Dec 12 09:59:14 bigip.test.oauth err apmd[1443]: 01490290:3: /Common/OAuth-Profile::ba1ff486./Common/OAuth_PRP-crud_control_1/YXhzMnN1YnNpZA==:/Common/OAuth_PRP-crud_control_act_oauth_scope_subsession_ag_1: OAuth Scope: failed for jwt-provider-list '/Common/JWT_AzureAD_Provider' , error: Audience not found : Claim audience= api://aaaaaaaaaa/f5demo JWT_Config Audience=

Since the token validation is performed on the 'OAuth Scope' agent in the access policy, it generates the log message whenever it fails to validate the token. You also can monitor any access policy done with the ending type of the 'Reject'. With this log message, you can monitor not only the token validation fail cases but also all other access failure reasons. You can export these access logs to the external Syslog server and create a predefined action in the logging server.
- tub91
  Cirrus
  Dec 14, 2022
  Hi James_Jinwon_Lee
  Thank you for your answer. In the past we configured the sending of APM logs to a syslog but due to some of our internal problems at the moment we can no longer send these logs to a syslog. We are therefore looking for a different way to alert us when there are these errors. Do you have any other ideas?
  Thanks
  - James_Jinwon_Lee
    Employee
    Dec 14, 2022
    tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below.
    
    Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message.