The "Oauth scope" agent expects to find and validate the bearer token in the request header variable called "Authorization", which is according to standard. My question is, is it possible to "instruct" the Oauth scope agent to read the bearer token from another header, that is a custom header, e.g. "CustomAuthroization"? For example, by using an iRule to read the custom header and place it in the variable Oauth scope expect to find it, or perhaps changing the value of "perflow.oauth.scope.auth_hdr_name"?
We planing to make some test, but it would be nice to know is this is just "impossible" or if there is hope to make this work.
Thanks in advance.
01-Oct-2022 05:26 - edited 01-Oct-2022 05:30
Let me check whether we have any solution to support it or not.
OK. I did some tests and I think we can't change the default behavior of the 'OAuth scope' agent. However, we can use some tricks thru irule. Since the 'OAuth scope' agent extracts the token from the 'Authorization Header' or 'Parameter' or 'Body', I think we can replicate the token value from the 'Custom header' to the 'Authorization' header. Let's say, you have the custom header named 'CustomAuthorization' and the custom header includes the valid token as a value. I think there are three different scenarios here.
1. If an API request includes the 'CustomAuthorization' header but doesn't include the 'Authorization' header.
2. If an API request includes the 'Authorization' header but doesn't include the'CustomAuthorization' header.
3. If an API request includes both the 'CustomAuthorization' header and the 'Authorization' header.
Now, the 'OAuth scope' agent can extract the token value from the 'Authorization' header and proceed with the rest access policy.
If you configure the BIG-IP APM as an OAuth Resource Server, you also need to configure your access profile type to 'OAuth Resource-Server'. However, 'irule event' is not supported in the 'OAuth RS' access profile. To overcome this issue, you can configure the 'Layered Virtual Server' approach. You can create a dummy VS and attach the irule, then forward the traffic to the VS of the 'OAuth Resource Server'.
Thanks a lot James.
We actually tried something like that but we couldn't make the irule to trigger. I understand why now. We give it a new try then.