Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Monitoring Failure OAuth request

tub91
Cirrus
Cirrus

Hi,

Unfortunately, we occasionally have problems with oAuth authentications. Through the graph positioned in the path "Access ›› Overview : OAuth Reports : Client / Resource Server" we can see from the GUI the validation errors per second.

Is it possible to create alerts when there are validation errors? Or is it possible to query this information via SNMP?

Thanks

1 ACCEPTED SOLUTION

@tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below. 

Screenshot 2022-12-14 at 2.37.02 PM.png

 

Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message. 

 

View solution in original post

6 REPLIES 6

buulam
Community Manager
Community Manager

HI @tub91 , I'm asking around about this one. I couldn't find a clear solution myself but perhaps there is something out there I've missed

~~~~~~~~~~~~~~~~~~
@buulam / YouTube.com/DevCentral

Hi @buulam 

Thanks, I hope you can find something

James_Jinwon_Lee
F5 Employee
F5 Employee

Hello @tub91 

If APM fails to the token validation, you can find the error log in the access policy logging. 

 

Dec 12 09:59:14 bigip.test.oauth err apmd[1443]: 01490290:3: /Common/OAuth-Profile::ba1ff486./Common/OAuth_PRP-crud_control_1/YXhzMnN1YnNpZA==:/Common/OAuth_PRP-crud_control_act_oauth_scope_subsession_ag_1: OAuth Scope: failed for jwt-provider-list '/Common/JWT_AzureAD_Provider' , error: Audience not found : Claim audience= api://aaaaaaaaaa/f5demo JWT_Config Audience=

Since the token validation is performed on the 'OAuth Scope' agent in the access policy, it generates the log message whenever it fails to validate the token. You also can monitor any access policy done with the ending type of the 'Reject'. With this log message, you can monitor not only the token validation fail cases but also all other access failure reasons. You can export these access logs to the external Syslog server and create a predefined action in the logging server.

Hi @James_Jinwon_Lee 

Thank you for your answer. In the past we configured the sending of APM logs to a syslog but due to some of our internal problems at the moment we can no longer send these logs to a syslog. We are therefore looking for a different way to alert us when there are these errors. Do you have any other ideas?

Thanks

@tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below. 

Screenshot 2022-12-14 at 2.37.02 PM.png

 

Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message. 

 

Hi @James_Jinwon_Lee 

great idea 🙂

Thanks