09-Dec-2022 07:08
Hi,
Unfortunately, we occasionally have problems with oAuth authentications. Through the graph positioned in the path "Access ›› Overview : OAuth Reports : Client / Resource Server" we can see from the GUI the validation errors per second.
Is it possible to create alerts when there are validation errors? Or is it possible to query this information via SNMP?
Thanks
Solved! Go to Solution.
13-Dec-2022 22:41
@tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below.
Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message.
13-Dec-2022 13:14
HI @tub91 , I'm asking around about this one. I couldn't find a clear solution myself but perhaps there is something out there I've missed
13-Dec-2022 13:17
Hi @buulam
Thanks, I hope you can find something
13-Dec-2022 19:24
Hello @tub91
If APM fails to the token validation, you can find the error log in the access policy logging.
Dec 12 09:59:14 bigip.test.oauth err apmd[1443]: 01490290:3: /Common/OAuth-Profile::ba1ff486./Common/OAuth_PRP-crud_control_1/YXhzMnN1YnNpZA==:/Common/OAuth_PRP-crud_control_act_oauth_scope_subsession_ag_1: OAuth Scope: failed for jwt-provider-list '/Common/JWT_AzureAD_Provider' , error: Audience not found : Claim audience= api://aaaaaaaaaa/f5demo JWT_Config Audience=
Since the token validation is performed on the 'OAuth Scope' agent in the access policy, it generates the log message whenever it fails to validate the token. You also can monitor any access policy done with the ending type of the 'Reject'. With this log message, you can monitor not only the token validation fail cases but also all other access failure reasons. You can export these access logs to the external Syslog server and create a predefined action in the logging server.
13-Dec-2022 22:25
Thank you for your answer. In the past we configured the sending of APM logs to a syslog but due to some of our internal problems at the moment we can no longer send these logs to a syslog. We are therefore looking for a different way to alert us when there are these errors. Do you have any other ideas?
Thanks
13-Dec-2022 22:41
@tub91 You can add an 'Email' agent in your session policy or per-request policy like the one below.
Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message.
14-Dec-2022 11:12