Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

OAuth APM as Authorisation server

AlexS_yb
Cirrocumulus
Cirrocumulus

‎13-Jun-2022 18:15

Hi

 

Got a question I can't seem to get answered.

 

I have a OAuth authorisation server setup. I have applied the oauth profile and I have a per session policy that use oauth authroization to assign claims and scopes.

 

The claims are setup based upon session variables.

So the JWT created have 5 in life for access token and 60 min life for refresh token.

So at 5min +1 my client/resource server will access the auth server for a new access token using the refresh token.

 

I see this on the APM logs on the auth server and the client/resource server.

BUT on the auth server, there is no session alive !  so which auth server session variables is it using.

Does it just use the values that were assigned when the original request was made if thats the case.

How can I . if possible update the information for each request ?

Is it possible 

 

 

 

 

 

 

 

Labels:
4 REPLIES 4

LiefZimmerman
Community Manager
Community Manager

‎24-Jun-2022 13:26

@AlexS_yb - it's been a few days on this one - Have you figured this out yet?
If not - I'll see what help I might drum up.

0 Kudos

AlexS_yb
Cirrocumulus
Cirrocumulus
In response to LiefZimmerman

‎24-Jun-2022 14:17

Hi

 

Nothing as yet, that would be helpful.

Thanks

Matt_Dierick
F5 Employee
F5 Employee

‎27-Jun-2022 05:08

Hi @AlexS_yb 

You right, in Oauth AS use case, APM does not keep session up. As soon as the token is issued, the session is deleted.

If client presents a refresh token, the previous values from the first request should be used. 

I'm curious to know which kind of information you want to update during a "token refresh". As if something changed on Owner side, a new authentication is required, then new session var (claims) are issued.

AlexS_yb
Cirrocumulus
Cirrocumulus
In response to Matt_Dierick

‎29-Jun-2022 00:29

Some claim information is based upon ldap group membership.

With the current setup a 60 min jwt toekn means that a users permission might last 60min past it being removed.

 

I was thinking maybe to reduce the refresh token time done and force a new jwt, seem expensive though

0 Kudos
Copyright © 2023 Khoros, LLC