Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Per Request access policy with OAuth Client Subroutine

AlexS_yb
Cirrocumulus
Cirrocumulus

I have a per request policy with a URI that is protected with a OAuth Client

Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token

My problem is for ajax calls, I would like to send 401's

previous request for this suggested this as an example

 

 

    when ACCESS_SESSION_STARTED { 
      if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } {     
         ACCESS::respond 401 
      }   
    }

 

 

The problem is that the APM session exist and its on the pre request sub-session so this doesn't work.

I was thinking I could look at the JWT valid till date and if its passed then I could respond a 401 code.  But how do I get to pre request session data from a irule

if I do it as a irule event from access profile can I send a respond 401  ?

 

It would be good if I can configue the oauth client to send 401 and not do redirect's

 

Any help would be appreciated

 

 

 

1 ACCEPTED SOLUTION

You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

Don't forget to set:

ACCESS::restrict_irule_events disable

View solution in original post

6 REPLIES 6

Have you tried the clientless mode?

when HTTP_REQUEST {
    HTTP::header insert "clientless-mode" 1
}

I believe that will stop the 302 to /my.policy

but will it stop the 302 to the oauth server to get a new / or renew a OAuth access token ?

 

You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

Don't forget to set:

ACCESS::restrict_irule_events disable

I had thought of that and I have tried that previously to override default APM actions, but found that those events are called even with

ACCESS::restrict_irule_events disable

I will give it another go just in case, but previous experience tells me no - think i had it confirm from F5 support as well - but it been a while

This had always worked in my projects.

Seems to be working I will need to go back and check out what happened before

Any way for the record.

in HTTP_REQUEST

"/xxxx/1.0/*" {

if { [HTTP::header "clientless-mode"] equals "1" } {
log local0. "set flags for [HTTP::path]"
set clmodeflag 1
set unAuthFlag 1
}

don't forget to set those to 0 at the start of any request

1 that clientless-mode is set

1 flag to say send 401 instead of 302

then

when HTTP_RESPONSE_RELEASE {
if { ( [HTTP::status] == 302) && ( $clmodeflag == 1 ) && ( $unAuthFlag == 1 ) } {
# want to send 401 instead of 302
HTTP::respond 401
}

}