Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Refresh token introspect

Dmitriy_Sysoev
Nimbostratus
Nimbostratus

Hi All!

Use APM Oauth2.

Is there any way to find out when the refresh token was generated?

 

introspect or smth else?

 

Thank you!

6 REPLIES 6

I have only used JWT tokens but opaque tokens should be saved to the local database.

 

Have you tried reviewing it from the GUI or CLI?

 

https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_db-instance.html

 

Outside of that you may generate report OAuth Reports >> Tokens.

 

 

deleted

Nikoolay, thank you for reply, but i mean how i can get the resfresh token issued date from access policy

As I mentioned better to open the local apm database for oauth from th gui or cli. Outside of that as I mentioned I am using JWT, so I can't say without testing but you can see what session variables are available for oauth (they should start with session.oauth) and extract the info if it is there:

 

https://my.f5.com/manage/s/article/K000130351

https://clouddocs.f5.com/api/irules/ACCESS__session.html

 

LiefZimmerman
Community Manager
Community Manager

@Dmitriy_Sysoev - If your post was solved it would be helpful to the community to select *Accept As Solution*.
This helps future readers find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief

@Dmitriy_Sysoev  I had some time to play with this.

 

As the tokens are encrypted you will need to use a variable assign agent to decrypt them and then you can display them with sessiondump or in the GUI with a ''message box'' agent or in the logs with a "Logging" agent etc. You can use even API as the session dump is a linux command:

https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_command_module.html

 

oauth.PNG

 

 

This article will give you the idea and by adding the refresh token in the logs, even after the session is over you can see the token in the /var/log/apm or in a SIEM if you are sending the logs to a syslog server but be carefull with the security concerns ! :

 

https://my.f5.com/manage/s/article/K07645403

https://my.f5.com/manage/s/article/K11123

 

 

[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep token
e233abe6.session.oauth.client./Common/AS-Opaque-Test.access_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.refresh_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.token_type 6 Bearer
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.access_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.refresh_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.token_type 6 Bearer
e233abe6.session.oauth.client.last.access_token 10 **********
e233abe6.session.oauth.client.last.refresh_token 10 **********
e233abe6.session.oauth.client.last.token_type 6 Bearer

 


[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep custom
e233abe6.session.client.browscap_info 103 uimode=0&ctype=Mozilla&cversion=5&cjs=1&cactivex=0&cplugin=0&cplatform=Win10&cpu=x64&ccustom_protocol=1
e233abe6.session.client.custom_protocol 1 1
e233abe6.session.custom.refresh 64 68bee27f2978728636b7a680063216b40df3c0fc2ce0773ca1ef677e8c4e2169
[root@bigip3:Active:Standalone] config #