Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Monitoring Failure OAuth request

Go to solution
tub91
Cirrus
Cirrus

‎09-Dec-2022 07:08

Hi,

Unfortunately, we occasionally have problems with oAuth authentications. Through the graph positioned in the path "Access ›› Overview : OAuth Reports : Client / Resource Server" we can see from the GUI the validation errors per second.

Is it possible to create alerts when there are validation errors? Or is it possible to query this information via SNMP?

Thanks

Labels:
Preview file
87 KB
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
James_Jinwon_Lee
F5 Employee
F5 Employee
In response to tub91

‎13-Dec-2022 22:41

@tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below. 

Screenshot 2022-12-14 at 2.37.02 PM.png

 

Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message. 

 

View solution in original post

6 REPLIES 6

Go to solution
buulam
Community Manager
Community Manager

‎13-Dec-2022 13:14

HI @tub91 , I'm asking around about this one. I couldn't find a clear solution myself but perhaps there is something out there I've missed

~~~~~~~~~~~~~~~~~~
@buulam / YouTube.com/DevCentral
0 Kudos

Go to solution
tub91
Cirrus
Cirrus
In response to buulam

‎13-Dec-2022 13:17

Hi @buulam 

Thanks, I hope you can find something

0 Kudos

Go to solution
James_Jinwon_Lee
F5 Employee
F5 Employee

‎13-Dec-2022 19:24

Hello @tub91 

If APM fails to the token validation, you can find the error log in the access policy logging. 

 

Dec 12 09:59:14 bigip.test.oauth err apmd[1443]: 01490290:3: /Common/OAuth-Profile::ba1ff486./Common/OAuth_PRP-crud_control_1/YXhzMnN1YnNpZA==:/Common/OAuth_PRP-crud_control_act_oauth_scope_subsession_ag_1: OAuth Scope: failed for jwt-provider-list '/Common/JWT_AzureAD_Provider' , error: Audience not found : Claim audience= api://aaaaaaaaaa/f5demo JWT_Config Audience=

Since the token validation is performed on the 'OAuth Scope' agent in the access policy, it generates the log message whenever it fails to validate the token. You also can monitor any access policy done with the ending type of the 'Reject'. With this log message, you can monitor not only the token validation fail cases but also all other access failure reasons. You can export these access logs to the external Syslog server and create a predefined action in the logging server.

Preview file
42 KB
0 Kudos

Go to solution
tub91
Cirrus
Cirrus
In response to James_Jinwon_Lee

‎13-Dec-2022 22:25

Hi @James_Jinwon_Lee 

Thank you for your answer. In the past we configured the sending of APM logs to a syslog but due to some of our internal problems at the moment we can no longer send these logs to a syslog. We are therefore looking for a different way to alert us when there are these errors. Do you have any other ideas?

Thanks

0 Kudos

Go to solution
James_Jinwon_Lee
F5 Employee
F5 Employee
In response to tub91

‎13-Dec-2022 22:41

@tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below. 

Screenshot 2022-12-14 at 2.37.02 PM.png

 

Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message. 

 

Go to solution
tub91
Cirrus
Cirrus
In response to James_Jinwon_Lee

‎14-Dec-2022 11:12

Hi @James_Jinwon_Lee 

great idea 🙂

Thanks

0 Kudos
Copyright © 2023 Khoros, LLC