jwt
12 TopicsEdge Client OAuth with Azure
Hello All, I tried OAuth feature on Edge Client with Azure as IDP. It works, I receive the Access Token and connect successfully. The problem is that Policy does not parse the JWT token and just stores it as secure variable. So I have no information about the user. I can parse it with an irule, but I expected to be parsed automatically, lilke when you use an OAuth Client in VPE. Am I missing something?46Views0likes0CommentsAPM: OAUTH2 JWT Token with groups claim
Hello and happy new year 😉 We use APM as OAuth Authorization Server to create JWT token for apps. One of our customers wants to use the MicroProfile JWT(MP-JWT) for his application, that needs some specific claims: https://github.com/eclipse/microprofile-jwt-auth/blob/master/spec/src/main/asciidoc/interoperability.asciidoc One requirement is to encode the groups claim in JSON array: "groups": ["red-group", "green-group", "admin-group", "admin"] We now try to set the claim with groups from the Active Directory. With an iRule, I filtered the AD groups (from memberOf) and set a new APM variable (session.custom.groups) with this value: ["red-group", "green-group", "admin-group", "admin"] When I now add a claim groups with %{session.custom.groups} as value, I see that string in my JWT token: "groups": "[\"red-group\", \"green-group\", \"admin-group\", \"admin\"]" So the value is escaped and has is in quotation marks. Is there any chance to send claims as JSON array? Any help would be appreciated.2.9KViews0likes25CommentsUsing Custom OAuth Client iRules
How do I use iRules with OAuth Server Profile? What are the valid events that will fire to trigger execution. Products docs just say "attach and iRule if you want customization". https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-1-0/37.html Under heading "Configuring OAuth servers for APM as a client"610Views2likes2CommentsF5 Oauth server introspect JWT access token from external server
dear all, I already have setup a F5 as oauth client, F5 as oauth server (AS) and F5 as API gateway where F5 performs the introspect internally in its oauth database. So that is all working fine. Now we would like to perform introspect from an external server / API gateway towards the F5 and we are using JWT access tokens generated by F5 oauth server. I would assume the endpoint is /f5-oauth2/v1/introspect and we should define resource-server-id, resource-server-secret and access-token. According to the F5 documentation it is used only for Opaque tokens but that is not recommended as best practice is to use JWT. /f5-oauth2/v1/introspect as token introspection endpoint for validating Opaque tokens Now the question, how am I able to perform introspect from an external API server towards the F5 oauth server to validate that the provided JWT access token is still valid?1.1KViews0likes1CommentiRule - jwt is generated prior to authentication
Hoping you guys could shed some light on this, all our efforts have failed so far Scenario: Client hits https://service.com/example Initial uri is stored in an sessions variable called session.server.landinguri Client is redirected to IdP(F5 SAML federation with IDP) Authentication takes place and if completed the client is redirected to the landinguri and a jwt is signed and generated via an iRule (signature, username etc) jwt is passed to the URI (yes, the applications requires this. HTTP header via authorization header is not supported) We have tried generating the jwt in the APM but are unable to decrypt it in to proper format for appending to the URI. This is why we are doing this in an iRule Our problem is that the iRule jwt is being generated at the start of the APM in the initial session BEFORE the authentication is taking place which results in e.g an empty username being displayed. We have been experimenting withACCESS_POLICY_AGENT_EVENT but cant get things to work as it still picks up the jwt that is generated prior to SAML authentication. When debugging we can see 3 jwts being generated in the flow, the first one with an empty username, the following 2 (after successful auth) contain the correct info. Any advice on troubleshooting this is highly appreciated!Solved1.6KViews0likes2CommentsF5 OAUTH JWT error "failed trust verification with trusted CA bundle"
Hello to All, I tried using F5 as an OAUTH server that generates JWT tokens on 16.1.3.2 but I get the error "01071ca5:3: The JWK config (/Common/F5-CA) associated to OAuth profile (/Common/F5-Oauth-Server-JWT) failed trust verification with trusted CA bundle (/Common/clientCA-cert). " . I generated my own CA cert following "K14499: Using OpenSSL to create CA and client certificates (11.x - 16.x" https://support.f5.com/csp/article/K14499 Maybe I am doing something wrong or it is a bug but I am not certain as I do not have not worked with F5 as an Oauth JWT server. I am checking just really fast with the community as this is not something critical but if someone has seen this I will be happy to get a feedback 🙂 With or without Certificate Chain it is the same error or X5C. I am wondering as the certificate is 2048 bits RSA ifit should be 256 but I think this shouldn't matter. As a workaround I am using Octed JWT Key with a long shared password generated by a password generator that works. Also I tested with opaque keys as shown in https://support.f5.com/csp/article/K14391041 and it works but with those keys I do not think there is a way the F5 Auth server to return some usefull info like AD groups/emails to to the Oauth Client that is another F5 device as with JWT this is done with Claims. I did not find if F5 as an Oauth Authorization server supports UserInfo Request URI where after the authorization code that the web browsers provide is exchanged for Opaque Access token to configure what info the F5 Oauth Server to provide to the F5 Oauth Client but maybe some knows this. To bad that for OpenID Connect the JWT needs first to be enabled for the Oauth profile and thisagain means using Octed JWT Keys for either Access or ID tokens 😞728Views0likes2CommentsAPM JWT Multiple Providers NOT WORKING
Dear F5 community, Using F5 APM 16.1.3 (as an oauth resource server) I am trying to implement a per-request policy that will verify the signature of JWT tokens sent by the client. These JWT tokens can be issued from two differents issuer (Azure AD or STS). I am able to verify JWT tokens for each provider seperatly using a dedicated "JWT provider" with only one Provider attached. When using 2 providers as follow I got following error message: WWW-Authenticate:Bearer error="invalid_token",error_description="Issuer Mismatch : Claim issuer= https://sts.windows.net/ Provider issuer=https://login.microsoftonline.com/v2.0" Based on F5 doc below, the built-in object supports having multiple JWT providers https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/apm/apm_oauth_jwt-provider-list.html Configuration is pretty simple: - 1 Access Policy with "Allow" all ending - 1 Per-Request Policy with "OAuth Scope" set to "Internal" with the "jwt-allowed-providers-list" I guess It is most likely a bug. Anyone was able to make it work with multiple JWT providers ? I can workaround this by parsing the JWT payload, then determining the issuer and based on the issuer make two branches in the VPE: - first branch with the "oauth scope A" that will validate the token using JWT-Provider-A - second branch with the "oauth scope B" that will validate the token using JWT-Provider-B Thanks2.1KViews1like5Commentsoauth server generated jwt token problem
Hi all, We have a customer try to do oauth with a dovecot server, they have the following problems using the f5 as a oauth server: The "typ" jwt header is missing, this should be set to "JWT". F5 set the JWT token nbf (not valid before) to some minutes in the past, this breaks dovecot auth. Customer want to use the following oauth features, are these supported? https://openid.net/specs/openid-connect-frontchannel-1_0.html https://openid.net/specs/openid-connect-backchannel-1_0.html Do you know how the above could be customized in f5 to set to values the dovecot would accept? Thank you for any hint. Peter1.2KViews3likes5CommentsIn the oauth profile unable to select JWT keys
2 keys are created in the JWT keys configuration, however when trying to configure the Oauth profile, select checkbox Support JWT Token the JWT Primary Key select box is empty. https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html Key are available here in same partition Access››Federation:JSON Web Token:Key Configuration Within the Oauth profile unable to select the keys Access››Federation:OAuth Authorization Server:OAuth Profile Someone got any idea why this is occurring?706Views1like3CommentsAuthorization Header Defined as Unparsable by F5_ASM
One of our development teams is adding a new OAUTH token feature to an application. Sending the JSON call with the Authorization header creates an error within F5_ASM (ver 15.13): HTTP ValidationUnparsable request content Details Unparsable authorization header value I also see that the Authorization header's data is masked, though there's no settings for the Authorization header in the policy. What are my best options for troubleshooting this issue?932Views0likes3Comments