Oauth scope custom authorization header

Question

Hello,The "Oauth scope" agent expects to find and validate the bearer token in the request header variable called "Authorization", which is according to standard. My question is, is it possible to "instruct" the Oauth scope agent to read the bearer token from another header, that is a custom header, e.g. "CustomAuthroization"? For example, by using an iRule to read the custom header and place it in the variable Oauth scope expect to find it, or perhaps changing the value of "perflow.oauth.scope.auth_hdr_name"?&nbsp;We planing to make some test, but it would be nice to know is this is just "impossible" or if there is hope to make this work. Thanks in advance.

james_jinwon_lee · Answer

OK. I did some tests and I think we can't change the default behavior of the 'OAuth scope' agent. However, we can use some tricks thru irule.&nbsp; Since the 'OAuth scope' agent extracts the token from the 'Authorization Header' or 'Parameter' or 'Body', I think we can replicate the token value from the 'Custom header' to the 'Authorization' header.&nbsp; Let's say, you have the custom header named 'CustomAuthorization' and the custom header includes the valid token as a value. I think there are three different scenarios here.&nbsp;
1. If an API request includes the 'CustomAuthorization' header but doesn't include the 'Authorization' header.

irule extracts the valid token value from the 'CustomAuthorization' header.&nbsp;
irule inserts a new 'Authorization' header using the value of the token from the 'CustomAuthorization' header.&nbsp;

&nbsp;
2. If an API request includes the 'Authorization' header but doesn't include the'CustomAuthorization' header.

irule extracts the valid token value from the 'Authorization' header.&nbsp;
irule inserts a new 'CustomAuthorization' header using the value of the token from the 'Authorization' header.&nbsp;

&nbsp;
3. If an API request includes both the 'CustomAuthorization' header and the 'Authorization' header.

irule extracts the valid token value from the 'CustomAuthorization' header.&nbsp;
irule replaces the value of the 'Authorization' header with the value of the token from the 'CustomAuthorization' header.&nbsp;

Now, the 'OAuth scope' agent can extract the token value from the 'Authorization' header and proceed with the rest access policy.
If you configure the BIG-IP APM as an OAuth Resource Server, you also need to configure your access profile type to 'OAuth Resource-Server'. However, 'irule event' is not supported in the 'OAuth RS' access profile. To overcome this issue, you can configure the 'Layered Virtual Server' approach. You can create a dummy VS and attach the irule, then forward the traffic to the VS of the 'OAuth Resource Server'.&nbsp;

didros · Answer

Any expert out there that thinks this is possible or not possible? Even with some advance iRules?&nbsp;Thanks.

james_jinwon_lee · Answer

Let me check whether we have any solution to support it or not.&nbsp;

didros · Answer

Thanks a lot James.We actually tried something like that but we couldn't make the irule to trigger. I understand why now. We give it a new try then.&nbsp; &nbsp;

Forum Discussion

Oauth scope custom authorization header

4 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

ASM irule to disable attack signature authorization header with specific value

iRule - Authorization Bearer / Basic

Resolve Citrix Secure Ticket Authority (STA)

custom response page for api

OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM