Why F5 APM responds with a 200 OK instead of 302 to the original landing URI, for the /oauth/client/redirect replyback URI call, when the first call before Auth_redirect to AzureAD was a POST instead of a GET

Why F5 APM responds with a 200 OK instead of 302 redirect, to the original landing URI, for the /oauth/client/redirect replyback URI call comming into F5, when the first call before Auth_redirect to AzureAD was a POST instead of a GET.

Scenario:

1)Browser trace Output: for GET scenario

Initial client request before the user clicks on sign in that triggers the AzureAD auth-redirect

Request URL: https://www.abc.com/home/path/account/abc.aspx?

Request Method: GET

Status Code: 302 Found

when user clicks on signin, // auth_redirect based request call from client.//

Request URL: https://login.microsofonline.com/xxxxxxxx-bbbb-yyyyyyyy-eeeeeeeeeee/oauth2/v2.0/authorize?p=soandso&brand=sosososo&client_id=asdfsadfsad-asdfsf--sadfsafd-sdfsdfsadfs&grant_type=authorization_code&id_token=code&profile=profile_&redirect_uri=https%3A%2F%2Fwww.abc.com%2Foauth%2Fclient%2Fredirect&response_type=code&scope=https%3A%2F%2Flogin.microsoftonline.com%blablabla&state=qwesgergshrthrheahsgtjhrestd

Request Method: GET

Status Code: 200 OK

After Azure signs the user in and responds back with a reply back URI /oauth/client/redirect/, the client calls that path, and F5 APM responds with 302 and Location as the Landing URI called initially with a GET in a) // the page at which the client was before azure login redirect was triggered//

Request URL: https://www.abc.com/oauth/client/redirect?state=5WYqmkC6LIND5vdzW3NdEuw&code=bla2

Request Method: GET

Status Code: 302 Found

Location: /home/path/account/abc.aspx?

2) Browser trace Output: for POST scenario

Initial client request before the user clicks on sign in that triggers the AzureAD auth-redirect

Request URL: https://www.abc.com/home/path/account/abc.aspx?

Request Method: POST

Status Code: 302 Found

b)when user clicks on signin, // auth_redirect based request call from client.//

Request Method: GET

Status Code: 200 OK

After Azure signs the user in and responds back with a reply back URI /oauth/client/redirect/, the client calls that path, and F5 APM responds with 200 instead of 302 as you see in 1)(c)

Request URL: https://www.abc.com/oauth/client/redirect?state=5ku8FTAK6ZBC-yej483vK8w&code=bla

Request Method: GET

Status Code: 200 OK

APM

application delivery

Forum Discussion

Why F5 APM responds with a 200 OK instead of 302 to the original landing URI, for the /oauth/client/redirect replyback URI call, when the first call before Auth_redirect to AzureAD was a POST instead of a GET

Recent Discussions

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

CGNAT with DS-lite and LSN

Related Content

Re: APM Configuration to Support Duo MFA using iRule

Implementing basic OAuth with F5 BIG-IP APM

Application Programming Interface (API) Authentication types simplified

BIGIP OAUTH : Transmit "Application id" to backend server after a successful atuthentication

BigIP APM Oauth - set to 'Failed to perform curl: Failure when receiving data from the peer'