Monitoring Failure OAuth request

Question

Hi,Unfortunately, we occasionally have problems with oAuth authentications. Through the graph positioned in the path "Access ›› Overview : OAuth Reports : Client / Resource Server" we can see from the GUI the validation errors per second.Is it possible to create alerts when there are validation errors? Or is it possible to query this information via SNMP?Thanks

james_jinwon_lee · Accepted Answer

tub91&nbsp;You can add an 'Email' agent in your session policy or per-request policy like the one below.&nbsp;

&nbsp;
Another possible solution is to use the custom SNMP trap. (https://support.f5.com/csp/article/K3727?sr=33679270) You can create a custom SNMP trap with the 'OAuth Scope: failed' message.&nbsp;
&nbsp;

buulam · Answer

HI&nbsp;tub91&nbsp;, I'm asking around about this one. I couldn't find a clear solution myself but perhaps there is something out there I've missed

tub91 · Answer

Hi buulam&nbsp;Thanks, I hope you can find something

james_jinwon_lee · Answer

Hello&nbsp;tub91&nbsp;
If APM fails to the token validation, you can find the error log in the access policy logging.&nbsp;
&nbsp;
Dec 12 09:59:14 bigip.test.oauth err apmd[1443]: 01490290:3: /Common/OAuth-Profile::ba1ff486./Common/OAuth_PRP-crud_control_1/YXhzMnN1YnNpZA==:/Common/OAuth_PRP-crud_control_act_oauth_scope_subsession_ag_1: OAuth Scope: failed for jwt-provider-list '/Common/JWT_AzureAD_Provider' , error: Audience not found : Claim audience= api://aaaaaaaaaa/f5demo JWT_Config Audience=
Since the token validation is performed on the 'OAuth Scope' agent in the access policy, it generates the log message whenever it fails to validate the token. You also can monitor any access policy done with the ending type of the 'Reject'. With this log message, you can monitor not only the token validation fail cases but also all other access failure reasons. You can export these access logs to the external Syslog server and create a predefined action in the logging server.

tub91 · Answer

Hi James_Jinwon_Lee&nbsp;Thank you for your answer. In the past we configured the sending of APM logs to a syslog but due to some of our internal problems at the moment we can no longer send these logs to a syslog. We are therefore looking for a different way to alert us when there are these errors. Do you have any other ideas?Thanks

tub91 · Answer

Hi James_Jinwon_Lee&nbsp;great idea 🙂Thanks

Forum Discussion

Monitoring Failure OAuth request

6 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Re: Comprehensive solution for OWASP Web App A09:2021 Security Logging & Monitoring Failures fro

HTTP Health Monitor Failure Behavior

Losing Requests because of health monitoring

Distributed caching of authentication requests with NGINX Ingress Controller

Logging DNS Requests