OAuth refreshing the access token scope bug
Hi guys! I need some help with OAath AS. If the refresh token was initially issued for the scopes "A B C" the only scope option to refresh access tokens is nothing but "A B C" exactly. "scope A", "scope A B", even "scope C B A" options throw exception: "error": "access_denied" "error_description": "Given scope is different from the access token's scope" But according to the RFC 6749 the scopes for refreshed access token must be just less than originally requested scopes. scope OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. Is it some sort of a bug or smth? Is it possible to somehow eliminate this restriction? Thank you, Mikhail
F5 APM as OAuth Authorization server and Resource server
I’m using F5 as both Authorization server and Resource server. Haven’t setup client server yet so it accepts any username and any password. When testing in postman, I can generate token and pass them via request header but when submitting the GET request I’m seeing 503 DNS resolver error in the response headers. Please help.Authenticating Kubernetes Demo
Following up my article Authenticating KubernetesI want to show you the completed and running environment. Here is ademonstration of the Kubernetes API/Dashboard authentication with BIG-IP BIG-IP using mTLS, Basic Auth (Username/Password), and OAuth Tokens. This illustrates howBIG-IP Access Policy Manager (APM)can securely authenticate to Kubernetes using multiple methods and capture audit logs via BIG-IP Application Security Manager (ASM). As always, please let us know if you have questions. Further Reading Authenticating Kubernetes@DevCentral F5 Container Connector - Kubernetes @ Clouddocs.f5.com F5 Kubernetes Repositories @ github.com/F5Networks Authenticating @ kubernetes.io
Issue validate token
What need to get f5-oauth2/v1/Introspect? token => access_token client_id => xxxxx client_secret => xxxx Shows /Common/OAuth:Common: Request Introspect Token from Source ID xxxxxxxxxx IP xx.xx.x.xxx failed. Error Code (invalid_request) Error Description (Invalid parameter (token).)
OAUTH TOKEN IN F5 LTM
How can i enable the LTM to perform successfully oAuth functionality. I have a virtual server, 10.1.120.10 which loadbalances effectively for the CRM application. However,within the application, there is an oAuth token,which doesn't work on the Virtual Server IP but is effective on individual servers. http://10.1.120.18:6001/UserManagement/appmanager/care/login?oAuthToken=artwtrwertwerr&MSISDN=9039166811&userName=edating works well. (INDIVIDUAL NODE) However, (Virtual Server), http://10.1.120.10/UserManagement/appmanager/care/login?oAuthToken=artwtrwertwerr&MSISDN=9039166811&userName=edating gives an error. I only have a normal redirect irule configured. when HTTP_REQUEST { if { [HTTP::host] equals "10.1.120.10" && [HTTP::uri] equals "/"} { HTTP::respond 301 noserver Location "; Cache-Control "max-age=7200" } }
Big-IP v13.0.0 OAuth architecture
Can someone explain how OAuth works in F5? I know there are some articles on support site which is great, but i'm trying to understand the flow how each component communicate. (OAuth authorization Server, OAuth Client, OAuth Resource server etc) Basically i'm confused around the configuration pieces of each component. A scenario would help lot of people out there.. Any help is greatly appreciated! Thanks in advance!
