Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Per Request access policy with OAuth Client Subroutine

Go to solution
AlexS_yb
Cirrocumulus
Cirrocumulus

‎30-Jan-2023 20:25

I have a per request policy with a URI that is protected with a OAuth Client

Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token

My problem is for ajax calls, I would like to send 401's

previous request for this suggested this as an example

 

 

    when ACCESS_SESSION_STARTED { 
      if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } {     
         ACCESS::respond 401 
      }   
    }

 

 

The problem is that the APM session exist and its on the pre request sub-session so this doesn't work.

I was thinking I could look at the JWT valid till date and if its passed then I could respond a 401 code.  But how do I get to pre request session data from a irule

if I do it as a irule event from access profile can I send a respond 401  ?

 

It would be good if I can configue the oauth client to send 401 and not do redirect's

 

Any help would be appreciated

 

 

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Juergen_Mang
MVP
MVP

‎31-Jan-2023 03:00

You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

Don't forget to set:

ACCESS::restrict_irule_events disable

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Juergen_Mang
MVP
MVP

‎30-Jan-2023 23:26

Have you tried the clientless mode?

when HTTP_REQUEST {
    HTTP::header insert "clientless-mode" 1
}
0 Kudos

Go to solution
AlexS_yb
Cirrocumulus
Cirrocumulus
In response to Juergen_Mang

‎30-Jan-2023 23:32

I believe that will stop the 302 to /my.policy

but will it stop the 302 to the oauth server to get a new / or renew a OAuth access token ?

 

0 Kudos

Go to solution
Juergen_Mang
MVP
MVP

‎31-Jan-2023 03:00

You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.

Don't forget to set:

ACCESS::restrict_irule_events disable
0 Kudos

Go to solution
AlexS_yb
Cirrocumulus
Cirrocumulus
In response to Juergen_Mang

‎31-Jan-2023 13:06

I had thought of that and I have tried that previously to override default APM actions, but found that those events are called even with

ACCESS::restrict_irule_events disable

I will give it another go just in case, but previous experience tells me no - think i had it confirm from F5 support as well - but it been a while

0 Kudos

Go to solution
Juergen_Mang
MVP
MVP
In response to AlexS_yb

‎01-Feb-2023 01:17

This had always worked in my projects.

0 Kudos

Go to solution
AlexS_yb
Cirrocumulus
Cirrocumulus
In response to Juergen_Mang

‎05-Feb-2023 03:38

Seems to be working I will need to go back and check out what happened before

Any way for the record.

in HTTP_REQUEST

"/xxxx/1.0/*" {

if { [HTTP::header "clientless-mode"] equals "1" } {
log local0. "set flags for [HTTP::path]"
set clmodeflag 1
set unAuthFlag 1
}

don't forget to set those to 0 at the start of any request

1 that clientless-mode is set

1 flag to say send 401 instead of 302

then

when HTTP_RESPONSE_RELEASE {
if { ( [HTTP::status] == 302) && ( $clmodeflag == 1 ) && ( $unAuthFlag == 1 ) } {
# want to send 401 instead of 302
HTTP::respond 401
}

}

 

0 Kudos
Copyright © 2023 Khoros, LLC