Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Oauth scope custom authorization header

didros
Altostratus
Altostratus

‎13-Sep-2022 22:37

Hello,

The "Oauth scope" agent expects to find and validate the bearer token in the request header variable called "Authorization", which is according to standard. My question is, is it possible to "instruct" the Oauth scope agent to read the bearer token from another header, that is a custom header, e.g. "CustomAuthroization"? For example, by using an iRule to read the custom header and place it in the variable Oauth scope expect to find it, or perhaps changing the value of "perflow.oauth.scope.auth_hdr_name"? 

We planing to make some test, but it would be nice to know is this is just "impossible" or if there is hope to make this work.

Thanks in advance.

Labels:
0 Kudos
4 REPLIES 4

didros
Altostratus
Altostratus

‎21-Sep-2022 09:37

Any expert out there that thinks this is possible or not possible? Even with some advance iRules? 

Thanks.

0 Kudos

James_Jinwon_Lee
F5 Employee
F5 Employee

‎01-Oct-2022 05:26 - edited ‎01-Oct-2022 05:30

Let me check whether we have any solution to support it or not. 

0 Kudos

James_Jinwon_Lee
F5 Employee
F5 Employee
In response to James_Jinwon_Lee

‎01-Oct-2022 10:04

OK. I did some tests and I think we can't change the default behavior of the 'OAuth scope' agent. However, we can use some tricks thru irule.  Since the 'OAuth scope' agent extracts the token from the 'Authorization Header' or 'Parameter' or 'Body', I think we can replicate the token value from the 'Custom header' to the 'Authorization' header.  Let's say, you have the custom header named 'CustomAuthorization' and the custom header includes the valid token as a value. I think there are three different scenarios here. 

1. If an API request includes the 'CustomAuthorization' header but doesn't include the 'Authorization' header.

  • irule extracts the valid token value from the 'CustomAuthorization' header. 
  • irule inserts a new 'Authorization' header using the value of the token from the 'CustomAuthorization' header. 

 

2. If an API request includes the 'Authorization' header but doesn't include the'CustomAuthorization' header.

  • irule extracts the valid token value from the 'Authorization' header. 
  • irule inserts a new 'CustomAuthorization' header using the value of the token from the 'Authorization' header. 

 

3. If an API request includes both the 'CustomAuthorization' header and the 'Authorization' header.

  • irule extracts the valid token value from the 'CustomAuthorization' header. 
  • irule replaces the value of the 'Authorization' header with the value of the token from the 'CustomAuthorization' header. 

Now, the 'OAuth scope' agent can extract the token value from the 'Authorization' header and proceed with the rest access policy.

If you configure the BIG-IP APM as an OAuth Resource Server, you also need to configure your access profile type to 'OAuth Resource-Server'. However, 'irule event' is not supported in the 'OAuth RS' access profile. To overcome this issue, you can configure the 'Layered Virtual Server' approach. You can create a dummy VS and attach the irule, then forward the traffic to the VS of the 'OAuth Resource Server'. 

didros
Altostratus
Altostratus
In response to James_Jinwon_Lee

‎06-Oct-2022 12:56

Thanks a lot James.

We actually tried something like that but we couldn't make the irule to trigger. I understand why now. We give it a new try then.   

0 Kudos
Copyright © 2023 Khoros, LLC