APM JWT Multiple Providers NOT WORKING
Dear F5 community, Using F5 APM 16.1.3 (as an oauth resource server) I am trying to implement a per-request policy that will verify the signature of JWT tokens sent by the client. These JWT tokens can be issued from two differents issuer (Azure AD or STS). I am able to verify JWT tokens for each provider seperatly using a dedicated "JWT provider" with only one Provider attached. When using 2 providers as follow I got following error message: WWW-Authenticate:Bearer error="invalid_token",error_description="Issuer Mismatch : Claim issuer= https://sts.windows.net/ Provider issuer=https://login.microsoftonline.com/v2.0" Based on F5 doc below, the built-in object supports having multiple JWT providers https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_jwt-provider-list.html Configuration is pretty simple: - 1 Access Policy with "Allow" all ending - 1 Per-Request Policy with "OAuth Scope" set to "Internal" with the "jwt-allowed-providers-list" I guess It is most likely a bug. Anyone was able to make it work with multiple JWT providers ? I can workaround this by parsing the JWT payload, then determining the issuer and based on the issuer make two branches in the VPE: - first branch with the "oauth scope A" that will validate the token using JWT-Provider-A - second branch with the "oauth scope B" that will validate the token using JWT-Provider-B ThanksACCESS::disable with policy "OAuth-Resource Server" ?
Hello, Anyone knows how if equivalent of "ACCESS::disable" is possible on "OAuth-Resource Server" apm policy? At the end I want to allow pre-flight CORS calls to bypass the apm. I tried this irule but seems to not be working with F5 as "oauth RS", I still get response"HTTP/1.1 400 Bad Request" because of auth failed. Thanks Alexandre. when HTTP_REQUEST { if {([HTTP::method] eq "OPTIONS") && [HTTP::header exists "Access-Control-Request-Method"] && [HTTP::header exists "Access-Control-Request-Headers"] && [HTTP::header exists "Origin"] && [HTTP::header Origin] ends_with "XXXXXXXXXXX" } { #log local0. "Disable apm - [HTTP::method] - [HTTP::host][HTTP::uri]" ACCESS::disable } }
