Refresh token introspect

Dmitriy_Sysoev · ‎24-May-2023

Hi All!

Use APM Oauth2.

Is there any way to find out when the refresh token was generated?

introspect or smth else?

Thank you!

Nikoolayy1 · ‎25-May-2023

I have only used JWT tokens but opaque tokens should be saved to the local database.

Have you tried reviewing it from the GUI or CLI?

https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_db-instance.html

Outside of that you may generate report OAuth Reports >> Tokens.

Dmitriy_Sysoev · ‎25-May-2023

deleted

Dmitriy_Sysoev · ‎26-May-2023

Nikoolay, thank you for reply, but i mean how i can get the resfresh token issued date from access policy

Nikoolayy1 · ‎29-May-2023

As I mentioned better to open the local apm database for oauth from th gui or cli. Outside of that as I mentioned I am using JWT, so I can't say without testing but you can see what session variables are available for oauth (they should start with session.oauth) and extract the info if it is there:

https://my.f5.com/manage/s/article/K000130351

https://clouddocs.f5.com/api/irules/ACCESS__session.html

LiefZimmerman · ‎20-Jun-2023

@Dmitriy_Sysoev - If your post was solved it would be helpful to the community to select *Accept As Solution*.
This helps future readers find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief

Nikoolayy1 · ‎27-Jun-2023

@Dmitriy_Sysoev I had some time to play with this.

As the tokens are encrypted you will need to use a variable assign agent to decrypt them and then you can display them with sessiondump or in the GUI with a ''message box'' agent or in the logs with a "Logging" agent etc. You can use even API as the session dump is a linux command:

https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516

https://clouddocs.f5.com/products/orchestration/ansible/devel/modules/bigip_command_module.html

This article will give you the idea and by adding the refresh token in the logs, even after the session is over you can see the token in the /var/log/apm or in a SIEM if you are sending the logs to a syslog server but be carefull with the security concerns ! :

https://my.f5.com/manage/s/article/K07645403

https://my.f5.com/manage/s/article/K11123

[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep token
e233abe6.session.oauth.client./Common/AS-Opaque-Test.access_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.refresh_token 10 **********
e233abe6.session.oauth.client./Common/AS-Opaque-Test.token_type 6 Bearer
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.access_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.refresh_token 10 **********
e233abe6.session.oauth.client./Common/access-oauth-client-res_act_oauth_client_ag.token_type 6 Bearer
e233abe6.session.oauth.client.last.access_token 10 **********
e233abe6.session.oauth.client.last.refresh_token 10 **********
e233abe6.session.oauth.client.last.token_type 6 Bearer

[root@bigip3:Active:Standalone] config # sessiondump --allkeys | grep custom
e233abe6.session.client.browscap_info 103 uimode=0&ctype=Mozilla&cversion=5&cjs=1&cactivex=0&cplugin=0&cplatform=Win10&cpu=x64&ccustom_protocol=1
e233abe6.session.client.custom_protocol 1 1
e233abe6.session.custom.refresh 64 68bee27f2978728636b7a680063216b40df3c0fc2ce0773ca1ef677e8c4e2169
[root@bigip3:Active:Standalone] config #

DevCentral

Refresh token introspect

Sep 26th, 2023
MFA required on DevCentral

DevCentral

Refresh token introspect

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral