Forum Discussion

Karim's avatar
Karim
Icon for Cirrus rankCirrus
Oct 09, 2018

Using OpenID Connect to authenticate users

Hello all,

I want to use OpenID Connect to authenticate my users before gaining access to one of my application. I want to use my bigip as OpenID Provider (ie: the entity that authenticate the users) . My issue is the following: The OpendID provider (my bigip) never provides me with a ID Token. All I have is an “Access Token” and a “Refresh Token” but no “ID Token”.

Below is a description of my lab:

  • resource owner: ip address 10.10.255.1

  • bigip OpenID Provider: virtual server ip 10.10.255.221 (see below for the access policy)

*The agents are left with their default values.

  • Client: I user openid debugger (https://oidcdebugger.com/) in order to request the authorization code. Then I request the Tokens using an html code.

I do the following for testing :

  • I request the authorization code from the authorization server (ie my virtual server) . For this I use openID Connect debugger to construct the request for me. Here is the request that I send :

    ? client_id=e1111098ccff5f81859f9fc83eaa000c29267803efc0bb5b & redirect_uri=https://oidcdebugger.com/debug & scope=openid myscope & response_type=code & response_mode=form_post & state=toto & nonce=7r8saarltr

After sending this request I enter my credentials (in the logon agent), I click on authorize then the virtual server correctly redirects me to:

 

https://oidcdebugger.com/debug code=cae85f6fd33c6b27f56f536b6fd9af2ca0fc78e69ac3d13799533c143b38b4ac&state=toto”

 

I now have a correct authorization code that I can exchange for an “access token” AND a “ID Token” .

  • I then send a POST to get the access and ID Tokens using the following HTML code :

*note the presence of the “openid” in the scope parameter.

However, this is what I get from the authorization server (see in the comment) :

-> I have No “ID TOKEN” ☹

Could you please help me configure my access policy so that it supports OpenID Connect and sends me an “ID Token” ??

access federation
APM
authentication
oauth
openid connect
openid provider
security

8 Replies

Sort By
  • Karim's avatar
    Karim
    Icon for Cirrus rankCirrus
    Oct 09, 2018

    Here is the Tokens I get :

     

    { "access_token":"ewogICJhbGciOiJSUzI1NiIsCiAgImtpZCI6ImFkbWluIgp9.ewogICJ0b2tlbl90eXBlIjoiQmVhcmVyIiwKICAic2NvcGUiOiJteXNjb3BlIiwKICAic2NvcGVfZGF0YSI6WwogICAgewogICAgICAgICJpZCI6Im15c2NvcGUiLAogICAgICAgICJ2YWx1ZSI6ImthcmltIgogICAgfQogIF0sCiAgImlzcyI6Imh0dHBzOi8vb2F1dGgua2FiZS5sYWIiLAogICJteWNsYWltIjoia2FyaW0iLAogICJzdWIiOiIvQ29tbW9uL2thYmVfb2F1dGhfYXV0aG9yaXphdGlvbi5rYXJpbSIsCiAgImp0aSI6ImY5MTQyMGQxMDYzMmNiNmY5MTM2OGU1ODI4ZDdhNWI1YWIxZDRhYWI1ZDVmNTVlN2ZlZjY1NjBiOWFkNjQxMDIiLAogICJpYXQiOjE1MzkwODk3ODMsCiAgImV4cCI6MTUzOTA5MDA4MywKICAibmJmIjoxNTM5MDg5NDgzCn0.aTeXibnRqICbXDT84x7US6eMxx7Sdb5fDUHbpBSjvHVSKPHKRDcOoG76PTm9cOedJAH4WfgCNT1AmKE1uI0C-tUvdSPaBIpVOfLUGec9MyG2Fj1v-eeV3HoEM1RypdYvLAcGLR-AoZgbn2mca40CJPHAyw8yonpdxgNhVR3l4pzmi3xhv9hlnizNjXIG2J2qNU_2lGJfA8L2LoNKF7oEWk77_erutWKLwcuwSIdO2i5Rrr2vNahV-nxI4BG4jQXcgVJS8K4dGOe4gZwK-aBbRoliEX4DG2gLJ4t07BlvboHeHLpy7KagsRu_0yaChxqZ65l1e-zGvBjAhbu3jwAvqw", "expires_in":"300", "token_type":"Bearer", "scope":"myscope", "refresh_token":"CEJ7xkwqXJKPN8PQnnmUlRlSaI5Y6XsvIPzPq3zURuZCLn4AIak7WfasNA-ccM3Ejc1mPv6gxSAO5CgkolyQejGlw9tvIBP16y9kutn66nV7ecl7DMytO3UBQUt55RvAwfhqkyRKkjy4u5DudNOBS4wH20FfIMhM4XY3nto3yINYAewYVzpv4wIhZnZKPXRIq5qEUPhjaU-szAoLfX9aBIRmrhmGoWfgG2T3uQW7fjwfTRFzb_LkzXCi4dsAzq-WjDoBuQ4fSv6cqoRP66P9XygHODPcl0ldaOssH_oVPiXQoppKZ_I_2Bce4qcHmkobzQzZWlVvxFbnvyRCCf9-xN9PpO2d7OYzNO-2wODQEmLSHKSpnRl7Oa8A1nlDA4gZ_ks8OAz1Q0vyZgM9YcCErF1NBUN-wCTMfXBvRcNza-8z9ITDbmKlntIE9XVl9NMTHcvY1RlhLSwwsfYa67ZBSoMX67VP1DCfuD45HoBx6A3Uko4L0PxLpUkD1OzjzINTmoAy6DBlGNXnrFZXa0Aic8OHa7VIn1R0zGTfLmBybHnbZI9rN-nyhjr5vqY-HjxB-K_8X9bpmI39oWS3-eriUK1H03_M_t0VO6je3SEXK1GbgjyW2owuhZR4dBgk_eK1M9iSSiHt8Gau1bfl-9t3_prnVlrKips3aIAWIyz2q3yJLytNlejWZXTmycafdqFHerO14Dq4BG1mTcQBjeT7UBP-V3g" }

     

  • Karim's avatar
    Karim
    Icon for Cirrus rankCirrus
    Oct 09, 2018

    Below is my oauth configuration :

     

    apm profile oauth /Common/kabe_ouath {
    app-service none
    audience none   
    client-apps {
        /Common/kabe_postman { }
    }
    issuer https://oauth.kabe.lab
    jwt-refresh-token-enc-key $M$Dz$pa6iJ2laNDA7DK2Lk9Lhl0yvxZWSXuUMaMOpe681aKsJaBh+u9fViazYSWYRhITn
    jwt-token enabled
    opaque-token disabled
    primary-key /Common/kabe_jwt_key
}
apm oauth oauth-client-app /Common/kabe_postman {
    app-name openid_debuger
    client-id e1111098ccff5f81859f9fc83eaa000c29267803efc0bb5b
    client-secret 7c40cd50e3a99c99caefb35d6cfa000c29267803efc0bb5b
    customization-group /Common/kabe_postman_oauth_authz_client_app_customization
    grant-code enabled
    redirect-uris { https://oidcdebugger.com/debug }
    scopes {
        /Common/kabe_scope { }
    }
}
apm oauth oauth-scope /Common/kabe_scope {
    customization-group /Common/kabe_scope_oauth_authz_scope_customization
    scope-name myscope
    scope-value "%{session.logon.last.username}"
}
apm oauth jwk-config /Common/kabe_jwt_key {
    alg-type RS256
    cert /Common/default.crt
    cert-chain /Common/default.crt
    cert-key /Common/default.key
    cert-thumbprint-sha1 nbfOLqFiwWesgPxQXUrvoCyyZBk
    cert-thumbprint-sha256 ha7lBh7DSPvDzMtboP2NJ9zcI4B8wo9oJhy8sHeng3w
    key-id admin
    modulus p6Vhksrx3oxndL1ZOBS4CoCVumA_xw4n31yftdAyeiL3NRPO-        Pa4sAopJ3S1f5joQeYLQWcxRvhp94SgeklF_BDk8gGLAjloCs1ENmCt84ktULPiItOCrHx_zsjm-dO7Dmj7RwTQahqzipLq1BN0Bqaf35jNcVOTdR1CbW2qRDGmpl407Bk9VKaHIHv17ivZW4ACWoWgyx884FTzmIr5juAEOPuJvcq_pJNctrmK6VUrumNX-uTtsHg36FGVZSVcfcZnhKOUzhwT9fD9uD1xdlmQJLbHipZM8GpKsfGm-NdnmuLiK47L9PYiEleXVOF6McT3zmj3DRW1NztnH80isw
    passphrase $M$8p$wqUeSn31SPsxWhnp4opxnA==
    public-exponent AQAB
}
  • ymichielsen's avatar
    ymichielsen
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2018

    Support for this only seems to start in version 14.0.0.

     

    From the release notes:

     

    Authorization server support for OpenID Connect

     

    APM includes OpenID Connect support in the APM Authorization Server Framework for ID token and UserInfo generation.

     

  • Brett_Jarvis_36's avatar
    Brett_Jarvis_36
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2018

    We have upgraded to version 14.0.0.1 build 002 and have OAuth 2 working as an authorization server. We would like to enable OpenID in order to access ID token so we can request UserInfo attributes. Has anyone successfully enable OpenID on the F5(Provider)? Anyone have a working example?

     

    • Eric_Chen_12394's avatar
      Eric_Chen_12394
      Historic F5 Account
      Jan 29, 2019

      In my own lab environment I had to disable opaque tokens and enable jwt (14.1).

      The following is roughly what it looks like

       

      apm profile oauth oauth-oidc-profile {
app-service none
audience none
client-apps {
    oauth-oidc-client { }
}
id-token-primary-key myrsa
issuer https://issuer.example.com
jwt-refresh-token-enc-key  [redacted]
jwt-token enabled
opaque-token disabled
openid-connect enabled
primary-key myrsa
resource-servers {
    oauth-api-rs { }
}
userinfo-primary-key myrsa
}

       

      Results in

       

      {
"access_token": "ewog...NifA",
"expires_in": 300,
"token_type": "Bearer",
"scope": "openid",
"refresh_token": "nrY...i62",
"id_token": "ewog...LUCA"
}

       

  • paulfish's avatar
    paulfish
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2019

    This helped alot however be aware, in a HA pair if you use the default .crt/.key as per this config you will get sync errors, it's not immediately obvious.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/big-ip-access-policy-manager-oauth-configuration-14-1-0/04.html

     

    For Certificate File, select a certificate. Important: Do not select the default certificate when the BIG-IP system is on a chassis platform or is included in an HA pair. F5 strongly discourages the use of the default certificate in a JWK in any configuration. For Certificate Key, select one. Important: Do not use the default key when the BIG-IP system is on a chassis platform or is included in an HA pair. F5 strongly discourages the use of the default key in a JWK in any configuration.

     

  • Nolan_Jensen's avatar
    Nolan_Jensen
    Icon for Cirrostratus rankCirrostratus
    Feb 14, 2022

    I was wondering if anyone figured out why user info is not being provided to servcie provider?  I am trying to connect ESRI using open ID but keep getting user profile parameter is not received from providor.  

    I know I have ESRI configured correctly because if I use google as my IDP for oauth I am able to authenticate.  

    I tried to create a scope of openID in version 14.1 and said that can't be used.  

    Oauth profile:
    I have Opaque Token turned off
    I have support for JWT Token and OpenID connect enabled

    It is also strange that teh userinfo endpoint url page won't come up but that may be because you can't access it directly.

    Anythoughts would be great.  Thank you