APM: OAUTH2 JWT Token with groups claim
Hello and happy new year 😉 We use APM as OAuth Authorization Server to create JWT token for apps. One of our customers wants to use the MicroProfile JWT(MP-JWT) for his application, that needs some specific claims: https://github.com/eclipse/microprofile-jwt-auth/blob/master/spec/src/main/asciidoc/interoperability.asciidoc One requirement is to encode the groups claim in JSON array: "groups": ["red-group", "green-group", "admin-group", "admin"] We now try to set the claim with groups from the Active Directory. With an iRule, I filtered the AD groups (from memberOf) and set a new APM variable (session.custom.groups) with this value: ["red-group", "green-group", "admin-group", "admin"] When I now add a claim groups with %{session.custom.groups} as value, I see that string in my JWT token: "groups": "[\"red-group\", \"green-group\", \"admin-group\", \"admin\"]" So the value is escaped and has is in quotation marks. Is there any chance to send claims as JSON array? Any help would be appreciated.
Oauth 2.0 grant type for machine to machine
Since it looks like APM doesn't support the client credentials grant type, I'm curious what grant type folks are using for machine to machine communication. We make API calls to endpoints that don't have a UI where a user would enter any credentials since there isn't a user involved in these types of calls. Thanks, Scott
Using OAuth2 to share access for 2 DataCenters
Hello. I have two datacenters which serve the same app, masked by one APM device for authentication (using SSO to the backend) for each DC. When one DataCenter is down, all users that were using this DC start using the backup DC, but they have to authenticate again. I was searching ideas to avoid this (re-auth). One idea is to use OAuth2 with an external Authorization Server(shared by both DC). But checking deployment guides, I have seen all alternatives are using a logon page as initial step for initiation. I think the solution doesn't fix my initial requirement (avoid re-authentication when my users are moving from one DC to another). Please, could you confirm if I could avoid the reauthentication step using OAuth2? Any other ideas to get my requirement? References: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-1-0/37.html https://clouddocs.f5.com/training/community/iam/html/class2/class2.html KR, Dario.
Redirect-URI does not match with client app configuration
In the Access >>Federation : OAuthorization Server : Client Application, We need to add the «Redirect URI(s)», but our client app redirect uri has a variable query string, the session ID. Like the session ID is different for each user, I can't put it in the F5 OAuth client app configuration. So, if I dont put the query string, I receive this error: "Redirect-URI ( https://...) does not match with client app configuration" What can I do? Does it exist wildcard options?F5 APM as OAuth Authorization server and Resource server
I’m using F5 as both Authorization server and Resource server. Haven’t setup client server yet so it accepts any username and any password. When testing in postman, I can generate token and pass them via request header but when submitting the GET request I’m seeing 503 DNS resolver error in the response headers. Please help.
APM policy with external logon page for authorization server
Hi All, we are Using APM as an authorization server and an external logon page has been configured in the access policy. The external logon page is configured to capture the credentials and then posts it back to /my.policy as Ajax call (for a better user experience). the problem is the response from the AS. it redirects to the resource, for example: https://resource.example.com/oauth/client/redirect?error=access_denied&state=5x8IL https://resource.example.com/oauth/client/redirect?code=89d016e1c70140c52441bf5aad&state=5DqyFME-D I tried to change the response by irule events and http::respond to 200 OK/ 401 unauthorized but it`s not working. Any ideas? Thanks for your assistance in advance.Big-IP v13.0.0 OAuth architecture
Can someone explain how OAuth works in F5? I know there are some articles on support site which is great, but i'm trying to understand the flow how each component communicate. (OAuth authorization Server, OAuth Client, OAuth Resource server etc) Basically i'm confused around the configuration pieces of each component. A scenario would help lot of people out there.. Any help is greatly appreciated! Thanks in advance!
