30-Jan-2023 20:25
I have a per request policy with a URI that is protected with a OAuth Client
Typically this works by using 302 redirect either to /my.policy and then 302 to the OAuth server to get a new token
My problem is for ajax calls, I would like to send 401's
previous request for this suggested this as an example
when ACCESS_SESSION_STARTED {
if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" } {
ACCESS::respond 401
}
}
The problem is that the APM session exist and its on the pre request sub-session so this doesn't work.
I was thinking I could look at the JWT valid till date and if its passed then I could respond a 401 code. But how do I get to pre request session data from a irule
if I do it as a irule event from access profile can I send a respond 401 ?
It would be good if I can configue the oauth client to send 401 and not do redirect's
Any help would be appreciated
Solved! Go to Solution.
31-Jan-2023 03:00
You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.
Don't forget to set:
ACCESS::restrict_irule_events disable
30-Jan-2023 23:26
Have you tried the clientless mode?
when HTTP_REQUEST {
HTTP::header insert "clientless-mode" 1
}
30-Jan-2023 23:32
I believe that will stop the 302 to /my.policy
but will it stop the 302 to the oauth server to get a new / or renew a OAuth access token ?
31-Jan-2023 03:00
You can replace the 302 with 401 in the HTTP_RESPONSE_RELEASE event.
Don't forget to set:
ACCESS::restrict_irule_events disable
31-Jan-2023 13:06
I had thought of that and I have tried that previously to override default APM actions, but found that those events are called even with
ACCESS::restrict_irule_events disable
I will give it another go just in case, but previous experience tells me no - think i had it confirm from F5 support as well - but it been a while
01-Feb-2023 01:17
This had always worked in my projects.
05-Feb-2023 03:38
Seems to be working I will need to go back and check out what happened before
Any way for the record.
in HTTP_REQUEST
"/xxxx/1.0/*" {
if { [HTTP::header "clientless-mode"] equals "1" } {
log local0. "set flags for [HTTP::path]"
set clmodeflag 1
set unAuthFlag 1
}
don't forget to set those to 0 at the start of any request
1 that clientless-mode is set
1 flag to say send 401 instead of 302
then
when HTTP_RESPONSE_RELEASE {
if { ( [HTTP::status] == 302) && ( $clmodeflag == 1 ) && ( $unAuthFlag == 1 ) } {
# want to send 401 instead of 302
HTTP::respond 401
}
}