introspect

3 Topics

F5 both as oauth provider and F5 resource server JWT introspect issue (JWK)
Dear all, We have a F5 Access policy that is configured for Oauth server and provides the access tokens and / or JWT. We have another Access policy configured as the F5 oauth resource server that acts as the API gateway (which is a pool behind the F5) Everything works when we perform external validation in the F5 resource server Access policy, which basically performs a scope check towards the F5 oauth server using introspect URL. It connects externally, hence the name external. So with this we only use the access token and are not using JWT. So the problem we have is when we change the validation to internal mode for the scope authorization object inside the Access profile. So with this is should validate the JWT payload (access token and claims included in payload). We request the JWT using parameter token_content_type=jwt and we do succesfully receive the JWT from the F5 oauth server. So from here all good, now we use this JWT encoded access token as the authentication bearer and perform a request to the F5 resource server to connect to the API server hosted behind the F5. No matter what we do with this "internal JWT validation method" we always receive Bearer error="invalid_token",error_description="None of the configured JWK keys match the received JWT token" and HTTP 401 not authorized in the response. We have actually succesfully and automatically retrieved the F5 oauth server keys so the F5 oauth resource server should be able to verify the JWT payload, however it fails. Perhaps someone here has some experience with using JWT and F5 as the Oauth server and F5 resource server to perform retroinspect with internal validation mode set in the Access profile for the Scope authorization check with the same problem related to JWKs validation?
Solved
Marvin
Apr 30, 2020 Place Technical Forum
1.5KViews
0likes
4Comments
F5 Oauth server introspect JWT access token from external server
dear all, I already have setup a F5 as oauth client, F5 as oauth server (AS) and F5 as API gateway where F5 performs the introspect internally in its oauth database. So that is all working fine. Now we would like to perform introspect from an external server / API gateway towards the F5 and we are using JWT access tokens generated by F5 oauth server. I would assume the endpoint is /f5-oauth2/v1/introspect and we should define resource-server-id, resource-server-secret and access-token. According to the F5 documentation it is used only for Opaque tokens but that is not recommended as best practice is to use JWT. /f5-oauth2/v1/introspect as token introspection endpoint for validating Opaque tokens Now the question, how am I able to perform introspect from an external API server towards the F5 oauth server to validate that the provided JWT access token is still valid?
Marvin
Jul 27, 2021 Place Technical Forum
1.1KViews
0likes
1Comment
Issue validate token
What need to get f5-oauth2/v1/Introspect? token => access_token client_id => xxxxx client_secret => xxxx Shows /Common/OAuth:Common: Request Introspect Token from Source ID xxxxxxxxxx IP xx.xx.x.xxx failed. Error Code (invalid_request) Error Description (Invalid parameter (token).)
Omar_Contreras
May 11, 2018 Place Technical Forum
277Views
0likes
2Comments